From 02e4e7d48f49378e00fc8fa609ce1451588054fc Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sun, 17 Jan 2021 12:12:53 +0100 Subject: [PATCH 001/126] Sort APT packages Signed-off-by: Yohann D'ANELLO --- roles/baseconfig/tasks/main.yml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index 1c91511..f68155c 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -4,26 +4,26 @@ when: ansible_os_family == "Debian" apt: name: - - sudo - - molly-guard # prevent reboot - - ntp # network time sync + - acl # advanced ACL - apt # better than apt-get - - nano # for vulcain - - vim # better than nano - - emacs-nox # for maman - - htop # better than top - - zsh # to be able to ssh @erdnaxe - - fish # to motivate @edpibu - - oidentd # postgresql identification - aptitude # nice to have for Ansible - - acl # advanced ACL - - iotop # monitor i/o - - tree # create a graphical tree of files - bash-completion # because bash + - emacs-nox # for maman + - fish # to motivate @edpibu - git # code versioning + - htop # better than top + - iotop # monitor i/o - less # i like cats - - screen # Vulcain asked for this - lsb-release + - molly-guard # prevent reboot + - nano # for vulcain + - ntp # network time sync + - oidentd # postgresql identification + - screen # Vulcain asked for this + - sudo + - tree # create a graphical tree of files + - vim # better than nano + - zsh # to be able to ssh @erdnaxe update_cache: true register: apt_result retries: 3 From 0364006062742dbad2a6f7dded687e522b7514cb Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sun, 17 Jan 2021 12:13:30 +0100 Subject: [PATCH 002/126] Install curl and net-tools by default Signed-off-by: Yohann D'ANELLO --- roles/baseconfig/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index f68155c..4fa34c7 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -8,6 +8,7 @@ - apt # better than apt-get - aptitude # nice to have for Ansible - bash-completion # because bash + - curl # better than wget - emacs-nox # for maman - fish # to motivate @edpibu - git # code versioning @@ -17,6 +18,7 @@ - lsb-release - molly-guard # prevent reboot - nano # for vulcain + - net-tools - ntp # network time sync - oidentd # postgresql identification - screen # Vulcain asked for this From ee1726589a09555db05176a927c633d123a347b5 Mon Sep 17 00:00:00 2001 From: otthorn Date: Sun, 17 Jan 2021 17:06:59 +0100 Subject: [PATCH 003/126] Linter should pass now! --- host_vars/proxy-ovh.adm.auro.re.yml | 4 ++-- roles/baseconfig/tasks/main.yml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/host_vars/proxy-ovh.adm.auro.re.yml b/host_vars/proxy-ovh.adm.auro.re.yml index 4659ba3..37c50d2 100644 --- a/host_vars/proxy-ovh.adm.auro.re.yml +++ b/host_vars/proxy-ovh.adm.auro.re.yml @@ -54,12 +54,12 @@ nginx: to: "10.128.0.150:8080" - from: chat.auro.re to: "10.128.0.150:8080" - + - from: codimd.auro.re to: "10.128.0.150:8081" - from: hedgedoc.auro.re to: "10.128.0.150:8081" - + - from: grafana.auro.re to: "10.128.0.150:8082" diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index 4fa34c7..2455998 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -94,13 +94,13 @@ apt: pkg: smartmontools state: absent - autoremove: yes + autoremove: true when: ansible_system_vendor == "QEMU" - name: Remove useless packages from the cache apt: - autoclean: yes + autoclean: true - name: Remove dependencies that are no longer required apt: - autoremove: yes + autoremove: true From 293a3855a18eb35a2d97928bd80f049754f498cc Mon Sep 17 00:00:00 2001 From: otthorn Date: Sun, 17 Jan 2021 17:10:55 +0100 Subject: [PATCH 004/126] Add the new CNAMES to the list of domains for certbot. No wonder it did work magicly... --- host_vars/proxy-ovh.adm.auro.re.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/host_vars/proxy-ovh.adm.auro.re.yml b/host_vars/proxy-ovh.adm.auro.re.yml index 37c50d2..595e12c 100644 --- a/host_vars/proxy-ovh.adm.auro.re.yml +++ b/host_vars/proxy-ovh.adm.auro.re.yml @@ -2,10 +2,13 @@ certbot: domains: - auro.re + - chat.auro.re # cname to riot.auro.re - codimd.auro.re - grafana.auro.re + - hedgedoc.auro.re # cname to codimd.auro.re - pad.auro.re - passbolt.auro.re + - paste.auro.re # cname to privatebin.auro.re - phabricator.auro.re - privatebin.auro.re - riot.auro.re @@ -13,7 +16,7 @@ certbot: - status.auro.re - wiki.auro.re - www.auro.re - - zero.auro.re + - zero.auro.re # cname to privatebin.auro.re mail: tech.aurore@lists.crans.org certname: auro.re From facfe3c169810b4e4c1d81bae5b7c1a94f9f00f6 Mon Sep 17 00:00:00 2001 From: otthorn Date: Sun, 17 Jan 2021 18:21:29 +0100 Subject: [PATCH 005/126] Attempt to fix ansible lint --- roles/isc_dhcp_server/tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/isc_dhcp_server/tasks/main.yml b/roles/isc_dhcp_server/tasks/main.yml index b40b2b8..57d2d25 100644 --- a/roles/isc_dhcp_server/tasks/main.yml +++ b/roles/isc_dhcp_server/tasks/main.yml @@ -18,6 +18,7 @@ owner: re2o-services group: nogroup recurse: true + mode: 755 - name: Install isc-dhcp-server apt: @@ -101,7 +102,7 @@ when: is_aurore_host - name: force run dhcp re2o-service - shell: /var/local/re2o-services/dhcp/main.py --force + command: /var/local/re2o-services/dhcp/main.py --force - name: Ensure dhcpd is running service: From 9e135e1dfd2fcb0bc9c7107f66c5131cf28ad704 Mon Sep 17 00:00:00 2001 From: otthorn Date: Sun, 17 Jan 2021 23:49:29 +0100 Subject: [PATCH 006/126] Fix ansible lint v3 -- on the right branch this time! --- .ansible-lint | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.ansible-lint b/.ansible-lint index d03cb8f..a85e701 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,2 +1,7 @@ skip_list: - '301' + +warn_list: + - '305' # Use shell only when shell functionality is required + - '503' # Tasks that run when changed should likely be handlers + - experimental # all rules tagged as experimental From 4a57dad8a6091e6b65889d4d362d2461174fe681 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Tue, 19 Jan 2021 23:19:25 +0100 Subject: [PATCH 007/126] use handlers --- roles/certbot/handlers/main.yml | 8 ++++++++ roles/certbot/tasks/main.yml | 20 +++----------------- 2 files changed, 11 insertions(+), 17 deletions(-) create mode 100644 roles/certbot/handlers/main.yml diff --git a/roles/certbot/handlers/main.yml b/roles/certbot/handlers/main.yml new file mode 100644 index 0000000..b8517e5 --- /dev/null +++ b/roles/certbot/handlers/main.yml @@ -0,0 +1,8 @@ +--- +- name: Reload nginx + service: + name: nginx + state: reloaded + +- name: Generate certificates + shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index f29d557..cbce286 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -20,20 +20,6 @@ src: "letsencrypt/conf.d/certname.ini.j2" dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" mode: 0644 - register: certbot_config - -- name: Stop services to allow certbot to generate a cert. - service: - name: nginx - state: stopped - when: certbot_config.changed - -- name: Generate new certificate if the configuration changed - shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" - when: certbot_config.changed - -- name: Restart services to allow certbot to generate a cert. - service: - name: nginx - state: started - when: certbot_config.changed + notify: + - Generate certificates + - Reload nginx From f0e3bd78c9cbd877c463de6230e65b3f0edcafca Mon Sep 17 00:00:00 2001 From: Otthorn Date: Tue, 19 Jan 2021 23:27:17 +0100 Subject: [PATCH 008/126] use command instead of shell when you don't need sh features (pipes, env, etc...) --- roles/certbot/handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/certbot/handlers/main.yml b/roles/certbot/handlers/main.yml index b8517e5..82d2202 100644 --- a/roles/certbot/handlers/main.yml +++ b/roles/certbot/handlers/main.yml @@ -5,4 +5,4 @@ state: reloaded - name: Generate certificates - shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" + command: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" From 51681922aabd55587cc8f97b0e8bc02443ee63ef Mon Sep 17 00:00:00 2001 From: otthorn Date: Wed, 20 Jan 2021 17:01:49 +0100 Subject: [PATCH 009/126] Even more CNAMEs ! --- host_vars/proxy-ovh.adm.auro.re.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/host_vars/proxy-ovh.adm.auro.re.yml b/host_vars/proxy-ovh.adm.auro.re.yml index 595e12c..d68a483 100644 --- a/host_vars/proxy-ovh.adm.auro.re.yml +++ b/host_vars/proxy-ovh.adm.auro.re.yml @@ -4,6 +4,8 @@ certbot: - auro.re - chat.auro.re # cname to riot.auro.re - codimd.auro.re + - element.auro.re # cname to riot.auro.re + - ehterpad.auro.re # cname to pad.auro.re - grafana.auro.re - hedgedoc.auro.re # cname to codimd.auro.re - pad.auro.re From 40d3c2227642e3223f8a4a3ad538d64dfcafcc4d Mon Sep 17 00:00:00 2001 From: pz2891 Date: Thu, 21 Jan 2021 21:26:40 +0100 Subject: [PATCH 010/126] Setup config snmp for Prometheus, to monitore Aurore's PDU --- monitoring.yml | 3 + roles/baseconfig/tasks/main.yml.save | 89 +++++++++++++++++++ roles/prometheus/tasks/main.yml | 7 ++ roles/prometheus/tasks/main.yml.save | 76 ++++++++++++++++ .../templates/prometheus/prometheus.yml.j2 | 16 ++++ .../templates/prometheus/snmp.yml.j2 | 72 +++++++++++++++ 6 files changed, 263 insertions(+) create mode 100644 roles/baseconfig/tasks/main.yml.save create mode 100644 roles/prometheus/tasks/main.yml.save diff --git a/monitoring.yml b/monitoring.yml index 714baa6..a64c5b5 100755 --- a/monitoring.yml +++ b/monitoring.yml @@ -34,6 +34,9 @@ snmp_unifi_password: "{{ vault_snmp_unifi_password }}" # Prometheus targets.json + prometheus_ups_snmp_targets: + - ups-ec-1.ups.auro.re + prometheus_targets: - targets: | {{ groups['edc_pve'] + groups['edc_vm'] | list | sort }} diff --git a/roles/baseconfig/tasks/main.yml.save b/roles/baseconfig/tasks/main.yml.save new file mode 100644 index 0000000..d73cf07 --- /dev/null +++ b/roles/baseconfig/tasks/main.yml.save @@ -0,0 +1,89 @@ +--- +# Should contain only small tools that everyone can't live without +- name: Install basic tools + when: ansible_os_family == "Debian" + apt: + name: + - sudo + - molly-guard # prevent reboot + - ntp # network time sync + - apt # better than apt-get + - nano # for vulcain + - vim # better than nano + - emacs-nox # for maman + - htop # better than top + - zsh # to be able to ssh @erdnaxe + - fish # to motivate @edpibu + - oidentd # postgresql identification + - aptitude # nice to have for Ansible + - acl # advanced ACL + - iotop # monitor i/o + - tree # create a graphical tree of files + - bash-completion # because bash + - git # code versioning + - less # i like cats + - screen # Vulcain asked for this + - lsb-release + update_cache: true + register: apt_result + retries: 3 + until: apt_result is succeeded + +# Pimp my server +- name: Customize motd + copy: + src: "update-motd.d/{{ item }}" + dest: "/etc/update-motd.d/{{ item }}" + mode: 0755 + loop: + - 00-logo + - 10-uname + +- name: Remove Debian warranty motd + file: + path: /etc/motd + state: absent + +# Configure APT mirrors on Debian Stretch +- name: Configure APT mirrors + when: + - ansible_distribution == 'Debian' + - ansible_distribution_release == 'stretch' + template: + src: apt/sources.list.j2 + dest: /etc/apt/sources.list + mode: 0644 + +# Patriotisme +- name: Ensure French UTF-8 locale exists + locale_gen: + name: fr_FR.UTF-8 + state: present + +# Fix LC_CTYPE="C" +- name: Select default locale + debconf: + name: locales + question: locales/default_environment_locale + value: fr_FR.UTF-8 + vtype: select + notify: Reconfigure locales + +# APT-List Changes : send email with changelog +- include_tasks: apt-listchanges.yml + +# User skeleton +- name: Configure user skeleton + copy: + src: "skel/dot_{{ item }}" + dest: "/etc/skel/.{{ item }}" + mode: 0644 + loop: + - zshrc + - zshrc.local + +- name: Configure resolvconf + template: + src: resolv.conf + dest: /etc/resolv.conf + mode: 0644 diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml index 211aee3..0b5ad0e 100644 --- a/roles/prometheus/tasks/main.yml +++ b/roles/prometheus/tasks/main.yml @@ -56,6 +56,13 @@ dest: /etc/prometheus/targets_unifi_snmp.json mode: 0644 +- name: Configure Prometheus UPS SNMP devices + copy: + content: "{{ [{'targets': prometheus_ups_snmp_targets }] | to_nice_json }}\n" + dest: /etc/prometheus/targets_ups_snmp.json + mode: 0644 + + - name: Activate prometheus service systemd: name: prometheus diff --git a/roles/prometheus/tasks/main.yml.save b/roles/prometheus/tasks/main.yml.save new file mode 100644 index 0000000..cca66e5 --- /dev/null +++ b/roles/prometheus/tasks/main.yml.save @@ -0,0 +1,76 @@ +--- +- name: Install Prometheus + apt: + update_cache: true + name: + - prometheus + - prometheus-snmp-exporter + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Configure Prometheus + template: + src: prometheus/prometheus.yml.j2 + dest: /etc/prometheus/prometheus.yml + mode: 0644 + notify: Restart Prometheus + +- name: Configure Prometheus alert rules + template: + src: "prometheus/{{ item }}.j2" + dest: "/etc/prometheus/{{ item }}" + mode: 0644 + notify: Restart Prometheus + loop: + - alert.rules.yml + - django.rules.yml + +- name: Make Prometheus snmp-exporter listen on localhost only + lineinfile: + path: /etc/default/prometheus-snmp-exporter + regexp: '^ARGS=' + line: "ARGS=\"--web.listen-address=127.0.0.1:9116\"" + notify: Restart prometheus-snmp-exporter + +# This file store SNMP OIDs +- name: Configure Prometheus snmp-exporter + template: + src: "prometheus/snmp.yml.j2" + dest: "/etc/prometheus/snmp.yml" + mode: 0600 + owner: prometheus + notify: Restart prometheus-snmp-exporter + +# We don't need to restart Prometheus when updating nodes +- name: Configure Prometheus nodes + copy: + content: "{{ prometheus_targets | to_nice_json }}" + dest: /etc/prometheus/targets.json + mode: 0644 + +# We don't need to restart Prometheus when updating nodes +- name: Configure Prometheus Ubiquity Unifi SNMP devices + copy: + content: "{{ prometheus_unifi_snmp_targets | to_nice_json }}" + dest: /etc/prometheus/targets_unifi_snmp.json + mode: 0644 + +- name: Configure Prometheus UPS SNMP devices + copy: + content: "{{ [{'target | to_nice_json }}" + dest: /etc/prometheus/targets_ups_snmp.json + mode: 0644 + + +- name: Activate prometheus service + systemd: + name: prometheus + enabled: true + state: started + +- name: Indicate role in motd + template: + src: update-motd.d/05-service.j2 + dest: /etc/update-motd.d/05-prometheus + mode: 0755 diff --git a/roles/prometheus/templates/prometheus/prometheus.yml.j2 b/roles/prometheus/templates/prometheus/prometheus.yml.j2 index 31df6bd..e35a0cf 100644 --- a/roles/prometheus/templates/prometheus/prometheus.yml.j2 +++ b/roles/prometheus/templates/prometheus/prometheus.yml.j2 @@ -65,3 +65,19 @@ scrape_configs: scheme: https static_configs: - targets: [] + + - job_name: ups_snmp + file_sd_configs: + - files: + - '/etc/prometheus/targets_ups_snmp.json' + metrics_path: /snmp + params: + module: [eatonups] + relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__param_target] + target_label: instance + - target_label: __address__ + replacement: 127.0.0.1:9116 + diff --git a/roles/prometheus/templates/prometheus/snmp.yml.j2 b/roles/prometheus/templates/prometheus/snmp.yml.j2 index 84dcb65..5968095 100644 --- a/roles/prometheus/templates/prometheus/snmp.yml.j2 +++ b/roles/prometheus/templates/prometheus/snmp.yml.j2 @@ -6,6 +6,78 @@ # - Optimiser les règles pour les bornes Unifi, # on pourrait indexer avec les SSID +eatonups: + walk: + - 1.3.6.1.2.1.33.1.2 + - 1.3.6.1.2.1.33.1.3 + - 1.3.6.1.2.1.33.1.4 + - 1.3.6.1.4.1.534.1.6 + get: + - 1.3.6.1.2.1.1.3.0 + metrics: + - name: sysUpTime + oid: 1.3.6.1.2.1.1.3 + type: gauge + help: The time (in hundredths of a second) since the network management portion + of the system was last re-initialized. - 1.3.6.1.2.1.1.3 + - name: upsBatteryStatus + oid: 1.3.6.1.2.1.33.1.2.1 + type: gauge + help: The indication of the capacity remaining in the UPS system's batteries - + 1.3.6.1.2.1.33.1.2.1 + - name: upsEstimatedMinutesRemaining + oid: 1.3.6.1.2.1.33.1.2.3 + type: gauge + help: An estimate of the time to battery charge depletion under the present load + conditions if the utility power is off and remains off, or if it were to be + lost and remain off. - 1.3.6.1.2.1.33.1.2.3 + - name: upsInputVoltage + oid: 1.3.6.1.2.1.33.1.3.3.1.3 + type: gauge + help: The magnitude of the present input voltage. - 1.3.6.1.2.1.33.1.3.3.1.3 + indexes: + - labelname: upsInputLineIndex + type: gauge + - name: upsOutputSource + oid: 1.3.6.1.2.1.33.1.4.1 + type: gauge + help: The present source of output power - 1.3.6.1.2.1.33.1.4.1 + - name: upsOutputVoltage + oid: 1.3.6.1.2.1.33.1.4.4.1.2 + type: gauge + help: The present output voltage. - 1.3.6.1.2.1.33.1.4.4.1.2 + indexes: + - labelname: upsOutputLineIndex + type: gauge + - name: upsOutputPower + oid: 1.3.6.1.2.1.33.1.4.4.1.4 + type: gauge + help: The present output true power. - 1.3.6.1.2.1.33.1.4.4.1.4 + indexes: + - labelname: upsOutputLineIndex + type: gauge + - name: upsOutputPercentLoad + oid: 1.3.6.1.2.1.33.1.4.4.1.5 + type: gauge + help: The percentage of the UPS power capacity presently being used on this output + line, i.e., the greater of the percent load of true power capacity and the percent + load of VA. - 1.3.6.1.2.1.33.1.4.4.1.5 + indexes: + - labelname: upsOutputLineIndex + type: gauge + - name: xupsEnvRemoteTemp + oid: 1.3.6.1.4.1.534.1.6.5 + type: gauge + help: The reading of an EMP's temperature sensor. - 1.3.6.1.4.1.534.1.6.5 + - name: xupsEnvRemoteHumidity + oid: 1.3.6.1.4.1.534.1.6.6 + type: gauge + help: The reading of an EMP's humidity sensor. - 1.3.6.1.4.1.534.1.6.6 + version: 1 + auth: + community: public + + procurve_switch: walk: - 1.3.6.1.2.1.31.1.1.1.10 From c7a3495ae52cef3689e8d708bc832750120aadd2 Mon Sep 17 00:00:00 2001 From: pz2891 Date: Fri, 22 Jan 2021 12:16:36 +0100 Subject: [PATCH 011/126] Alert rules for UPS --- .../templates/prometheus/alert.rules.yml.j2 | 67 +++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/roles/prometheus/templates/prometheus/alert.rules.yml.j2 b/roles/prometheus/templates/prometheus/alert.rules.yml.j2 index 2a10358..db99ab7 100644 --- a/roles/prometheus/templates/prometheus/alert.rules.yml.j2 +++ b/roles/prometheus/templates/prometheus/alert.rules.yml.j2 @@ -59,4 +59,71 @@ groups: severity: warning annotations: summary: "{{ $labels.name }} a échoué sur {{ $labels.instance }}" + + # Check UPS + - alert: UpsOutputSourceChanged + expr: upsOutputSource != 3 + for: 5m + labels: + severity: warning + annotations: + summary: "La source d'alimentation de {{ $labels.instance }} a changé !" + + - alert: UpsBatteryStatusWarning + expr: upsBatteryStatus == 3 + for: 5m + labels: + severity: warning + annotations: + summary: "L'état de la batterie de {{ $labels.instance }} est faible !" + + - alert: UpsBatteryStatusCritical + expr: upsBatteryStatus == 4 + for: 5m + labels: + severity: warning + annotations: + summary: "L'état de la batterie de {{ $labels.instance }} est affaibli !" + + - alert: UpsHighLoad + expr: upsOutputPercentLoad > 70 + for: 5m + labels: + severity: critical + annotations: + summary: "La charge de {{ $labels.instance }} est de {{ $value }}% !" + + - alert: UpsWrongInputVoltage + expr: (upsInputVoltage < 210) or (upsInputVoltage > 250) + for: 5m + labels: + severity: warning + annotations: + summary: "La tension d'entrée de {{ $labels.instance }} est de {{ $value }}V." + + - alert: UpsWrongOutputVoltage + expr: (upsOutputVoltage < 225) or (upsOutputVoltage > 235) + for: 5m + labels: + severity: warning + annotations: + summary: "La tension de sortie de {{ $labels.instance }} est de {{ $value }}V." + + - alert: UpsTimeRemainingWarning + expr: upsEstimatedMinutesRemaining < 15 + for: 5m + labels: + severity: warning + annotations: + summary: "L'autonomie restante sur {{ $labels.instance }} est de {{ $value }} min." + + - alert: UpsTimeRemainingCritical + expr: upsEstimatedMinutesRemaining < 5 + for: 5m + labels: + severity: critical + annotations: + summary: "L'autonomie restante sur {{ $labels.instance }} est de {{ $value }} min." + + {% endraw %} From 705fe953ae5bdb534982001cf130f89fba5abdb1 Mon Sep 17 00:00:00 2001 From: pz2891 Date: Fri, 22 Jan 2021 18:20:13 +0100 Subject: [PATCH 012/126] Monitoring of Pacaterie's UPS --- monitoring.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/monitoring.yml b/monitoring.yml index a64c5b5..9bcc370 100755 --- a/monitoring.yml +++ b/monitoring.yml @@ -14,7 +14,7 @@ roles: - prometheus -- hosts: prometheus-pacaterie.adm.auro.re,prometheus-pacaterie-fo.adm.auro.re +- hosts: prometheus-pacaterie.adm.auro.re vars: prometheus_alertmanager: docker-ovh.adm.auro.re:9093 snmp_unifi_password: "{{ vault_snmp_unifi_password }}" @@ -25,8 +25,10 @@ {{ groups['pacaterie_pve'] + groups['pacaterie_vm'] | list | sort }} prometheus_unifi_snmp_targets: - targets: "{{ groups['pacaterie_unifi'] | list | sort }}" + prometheus_ups_snmp_targets: + - ups-pn-1.ups.auro.re roles: - - prometheus + - prometheus - hosts: prometheus-edc.adm.auro.re vars: From ddd69e04c00c2e695f06bc2cd89a8a2df0f30f63 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Sat, 23 Jan 2021 14:25:35 +0100 Subject: [PATCH 013/126] create logrotate role --- roles/logrotate/handlers/main.yml | 5 +++ roles/logrotate/tasks/main.yml | 25 +++++++++++++ .../templates/logrotate.d/rsyslog.j2 | 37 +++++++++++++++++++ 3 files changed, 67 insertions(+) create mode 100644 roles/logrotate/handlers/main.yml create mode 100644 roles/logrotate/tasks/main.yml create mode 100644 roles/logrotate/templates/logrotate.d/rsyslog.j2 diff --git a/roles/logrotate/handlers/main.yml b/roles/logrotate/handlers/main.yml new file mode 100644 index 0000000..a58c62e --- /dev/null +++ b/roles/logrotate/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload logrotate + service: + name: logrotate + state: reloaded diff --git a/roles/logrotate/tasks/main.yml b/roles/logrotate/tasks/main.yml new file mode 100644 index 0000000..f6667b7 --- /dev/null +++ b/roles/logrotate/tasks/main.yml @@ -0,0 +1,25 @@ +--- +# Install and configure logrotate + +# Install the apt package +name: Install logrotate +apt: + name: + - logrotate + +# Copy the configuration and reload the service if it has changed +- name: Configure logrotate + template: + src: logrotate.d/rsyslog.j2 + dst: /etc/logrotate.d/rsyslog + owner: root + groupe: root + mode: "0644" + notify: restart logrotate + +# Make sure the service is enabled and started +- name: Enable logrotate service + service: + name: logrotate + enabled: true + state: started diff --git a/roles/logrotate/templates/logrotate.d/rsyslog.j2 b/roles/logrotate/templates/logrotate.d/rsyslog.j2 new file mode 100644 index 0000000..c304bb4 --- /dev/null +++ b/roles/logrotate/templates/logrotate.d/rsyslog.j2 @@ -0,0 +1,37 @@ +/var/log/syslog +{ + rotate 7 + daily + missingok + notifempty + delaycompress + compress + postrotate + /usr/lib/rsyslog/rsyslog-rotate + endscript +} + +/var/log/mail.info +/var/log/mail.warn +/var/log/mail.err +/var/log/mail.log +/var/log/daemon.log +/var/log/kern.log +/var/log/auth.log +/var/log/user.log +/var/log/lpr.log +/var/log/cron.log +/var/log/debug +/var/log/messages +{ + rotate 1 + daily + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + /usr/lib/rsyslog/rsyslog-rotate + endscript +} From 05326c15d32a6b20c8f882434f07ee7011b3ea06 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Sat, 23 Jan 2021 14:27:09 +0100 Subject: [PATCH 014/126] Enforce logrotate rules --- roles/logrotate/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/logrotate/tasks/main.yml b/roles/logrotate/tasks/main.yml index f6667b7..dd3a4d2 100644 --- a/roles/logrotate/tasks/main.yml +++ b/roles/logrotate/tasks/main.yml @@ -23,3 +23,7 @@ apt: name: logrotate enabled: true state: started + +# Enforce new logrotate rules now +- name: Run logrotate now + command: logrotate -f /etc/logrotate.d/rsyslog From 0122a293ebe146b4ca5f904162cfcfa3ba3a6a06 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Sat, 23 Jan 2021 14:34:13 +0100 Subject: [PATCH 015/126] Add the unify group --- hosts | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hosts b/hosts index a06cac8..90d248e 100644 --- a/hosts +++ b/hosts @@ -445,6 +445,13 @@ edc_pve gs_pve rives_pve +# every unifi +[unifi] +gs_unifi +edc_unifi +fleming_unifi +rives_unifi +pacaterie_unifi ############################################################################### # Groups by service From 0d9fd160302057fac8ad0bc987f40e111ff8844f Mon Sep 17 00:00:00 2001 From: Otthorn Date: Sat, 23 Jan 2021 14:35:03 +0100 Subject: [PATCH 016/126] Add logrotate to the base playbook --- base.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/base.yml b/base.yml index 5aee2d2..1ea1901 100755 --- a/base.yml +++ b/base.yml @@ -10,3 +10,8 @@ - hosts: all,!unifi roles: - ldap_client + +# Install logrotate +- hosts: all,!unifi,!pve:children + roles: + - logrotate From 66c2ff63053c72e93e7197f2c9ffef8015706161 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Sat, 23 Jan 2021 14:37:18 +0100 Subject: [PATCH 017/126] full path to logrotate for command --- roles/logrotate/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/logrotate/tasks/main.yml b/roles/logrotate/tasks/main.yml index dd3a4d2..8e78e90 100644 --- a/roles/logrotate/tasks/main.yml +++ b/roles/logrotate/tasks/main.yml @@ -26,4 +26,4 @@ apt: # Enforce new logrotate rules now - name: Run logrotate now - command: logrotate -f /etc/logrotate.d/rsyslog + command: /usr/sbin/logrotate -f /etc/logrotate.d/rsyslog From 43274ef2ec8d57cc6b25333f49a47662f146ae3e Mon Sep 17 00:00:00 2001 From: Otthorn Date: Sat, 23 Jan 2021 14:40:29 +0100 Subject: [PATCH 018/126] Add the ansible_managed var at the begining of the config file --- roles/logrotate/templates/logrotate.d/rsyslog.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/logrotate/templates/logrotate.d/rsyslog.j2 b/roles/logrotate/templates/logrotate.d/rsyslog.j2 index c304bb4..beab470 100644 --- a/roles/logrotate/templates/logrotate.d/rsyslog.j2 +++ b/roles/logrotate/templates/logrotate.d/rsyslog.j2 @@ -1,3 +1,5 @@ +# {{ ansible_managed }} + /var/log/syslog { rotate 7 From 73142dbe03210e1cc5ec1cbc291b2d3669107037 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Sat, 23 Jan 2021 14:41:25 +0100 Subject: [PATCH 019/126] Fix yaml syntax --- roles/logrotate/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/logrotate/tasks/main.yml b/roles/logrotate/tasks/main.yml index 8e78e90..81fc7ed 100644 --- a/roles/logrotate/tasks/main.yml +++ b/roles/logrotate/tasks/main.yml @@ -2,10 +2,10 @@ # Install and configure logrotate # Install the apt package -name: Install logrotate -apt: - name: - - logrotate +- name: Install logrotate + apt: + name: + - logrotate # Copy the configuration and reload the service if it has changed - name: Configure logrotate From d50288ccffbaa4925ed6aa63d26fd0161df642bd Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Sat, 23 Jan 2021 15:12:28 +0100 Subject: [PATCH 020/126] fix host syntax --- base.yml | 2 +- hosts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/base.yml b/base.yml index 1ea1901..38ec360 100755 --- a/base.yml +++ b/base.yml @@ -12,6 +12,6 @@ - ldap_client # Install logrotate -- hosts: all,!unifi,!pve:children +- hosts: all,!unifi,!pve roles: - logrotate diff --git a/hosts b/hosts index 90d248e..98a435e 100644 --- a/hosts +++ b/hosts @@ -446,7 +446,7 @@ gs_pve rives_pve # every unifi -[unifi] +[unifi:children] gs_unifi edc_unifi fleming_unifi From e1a961273df956ae0c53d0e54dcd12903d040c62 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Sat, 23 Jan 2021 15:42:52 +0100 Subject: [PATCH 021/126] fix typo: dst -> dest --- roles/logrotate/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/logrotate/tasks/main.yml b/roles/logrotate/tasks/main.yml index 81fc7ed..b786ba0 100644 --- a/roles/logrotate/tasks/main.yml +++ b/roles/logrotate/tasks/main.yml @@ -11,7 +11,7 @@ - name: Configure logrotate template: src: logrotate.d/rsyslog.j2 - dst: /etc/logrotate.d/rsyslog + dest: /etc/logrotate.d/rsyslog owner: root groupe: root mode: "0644" From e6af0f2bd74c890e053f3bc567236089babfc647 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Sat, 23 Jan 2021 15:59:03 +0100 Subject: [PATCH 022/126] fix typo: groupe -> group --- roles/logrotate/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/logrotate/tasks/main.yml b/roles/logrotate/tasks/main.yml index b786ba0..e9ba3a1 100644 --- a/roles/logrotate/tasks/main.yml +++ b/roles/logrotate/tasks/main.yml @@ -13,7 +13,7 @@ src: logrotate.d/rsyslog.j2 dest: /etc/logrotate.d/rsyslog owner: root - groupe: root + group: root mode: "0644" notify: restart logrotate From 795ee3846fa98377604abb5505ab204e1eac80fc Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Sat, 23 Jan 2021 16:02:10 +0100 Subject: [PATCH 023/126] fix indent --- roles/logrotate/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/logrotate/tasks/main.yml b/roles/logrotate/tasks/main.yml index e9ba3a1..656a746 100644 --- a/roles/logrotate/tasks/main.yml +++ b/roles/logrotate/tasks/main.yml @@ -15,7 +15,7 @@ owner: root group: root mode: "0644" - notify: restart logrotate + notify: restart logrotate # Make sure the service is enabled and started - name: Enable logrotate service From fff6ec5807ed6ea998799c9cecfef81a8d6b2374 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Sat, 23 Jan 2021 16:04:09 +0100 Subject: [PATCH 024/126] fix typo: restart -> reload --- roles/logrotate/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/logrotate/tasks/main.yml b/roles/logrotate/tasks/main.yml index 656a746..e76b591 100644 --- a/roles/logrotate/tasks/main.yml +++ b/roles/logrotate/tasks/main.yml @@ -15,7 +15,7 @@ owner: root group: root mode: "0644" - notify: restart logrotate + notify: reload logrotate # Make sure the service is enabled and started - name: Enable logrotate service From be0c2f8e4a7506b470b39188ac160e893402d6a3 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Sat, 23 Jan 2021 16:21:56 +0100 Subject: [PATCH 025/126] If you want to ONLY run the logrotate role --- logrotate.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100755 logrotate.yml diff --git a/logrotate.yml b/logrotate.yml new file mode 100755 index 0000000..8d3479e --- /dev/null +++ b/logrotate.yml @@ -0,0 +1,7 @@ +#!/usr/bin/env ansible-playbook +--- +# Playbook to run ONLY the logrotate role +# Install logrotate +- hosts: all,!unifi,!pve + roles: + - logrotate From bac377f6348691b31783199dbc282f8969963f0f Mon Sep 17 00:00:00 2001 From: pz2891 Date: Sat, 23 Jan 2021 19:01:27 +0100 Subject: [PATCH 026/126] Update alert rules of UPS --- hosts | 9 ++- monitoring.yml | 18 +++++ roles/prometheus/tasks/main.yml | 2 +- roles/prometheus/tasks/main.yml.save | 76 ------------------- .../templates/prometheus/alert.rules.yml.j2 | 2 +- test.sh | 5 -- 6 files changed, 26 insertions(+), 86 deletions(-) delete mode 100644 roles/prometheus/tasks/main.yml.save delete mode 100755 test.sh diff --git a/hosts b/hosts index a06cac8..6639a21 100644 --- a/hosts +++ b/hosts @@ -345,6 +345,7 @@ dns-rives-backup.adm.auro.re radius-rives-backup.adm.auro.re routeur-rives-backup.adm.auro.re ldap-replica-rives.adm.auro.re +prometheus-rives.adm.auro.re [rives_unifi] r3-4-4.borne.auro.re @@ -396,29 +397,31 @@ ovh_vm [fleming:children] fleming_pve fleming_vm -#fleming_unifi +fleming_unifi # everything at pacaterie [pacaterie:children] pacaterie_pve pacaterie_vm -#pacaterie_unifi +pacaterie_unifi # everything at edc [edc:children] edc_pve edc_vm +edc_unifi # everything at georgesand [gs:children] gs_pve gs_vm +gs_unifi # everything at Les Rives [rives:children] rives_pve rives_vm - +rives_unifi ############################################################################### # Groups by type diff --git a/monitoring.yml b/monitoring.yml index 9bcc370..fc59738 100755 --- a/monitoring.yml +++ b/monitoring.yml @@ -61,6 +61,24 @@ roles: - prometheus +- hosts: prometheus-rives.adm.auro.re + vars: + prometheus_alertmanager: docker-ovh.adm.auro.re:9093 + snmp_unifi_password: "{{ vault_snmp_unifi_password }}" + + # Prometheus targets.json + prometheus_ups_snmp_targets: + - ups-r3-1.ups.auro.re + + prometheus_targets: + - targets: | + {{ groups['rives_pve'] + groups['rives_vm'] | list | sort }} + prometheus_unifi_snmp_targets: + - targets: "{{ groups['rives_unifi'] | list | sort }}" + roles: + - prometheus + + # Monitor all hosts - hosts: all,!unifi,!ovh roles: diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml index 0b5ad0e..38deaa3 100644 --- a/roles/prometheus/tasks/main.yml +++ b/roles/prometheus/tasks/main.yml @@ -61,7 +61,7 @@ content: "{{ [{'targets': prometheus_ups_snmp_targets }] | to_nice_json }}\n" dest: /etc/prometheus/targets_ups_snmp.json mode: 0644 - + when: prometheus_ups_snmp_targets is defined - name: Activate prometheus service systemd: diff --git a/roles/prometheus/tasks/main.yml.save b/roles/prometheus/tasks/main.yml.save deleted file mode 100644 index cca66e5..0000000 --- a/roles/prometheus/tasks/main.yml.save +++ /dev/null @@ -1,76 +0,0 @@ ---- -- name: Install Prometheus - apt: - update_cache: true - name: - - prometheus - - prometheus-snmp-exporter - register: apt_result - retries: 3 - until: apt_result is succeeded - -- name: Configure Prometheus - template: - src: prometheus/prometheus.yml.j2 - dest: /etc/prometheus/prometheus.yml - mode: 0644 - notify: Restart Prometheus - -- name: Configure Prometheus alert rules - template: - src: "prometheus/{{ item }}.j2" - dest: "/etc/prometheus/{{ item }}" - mode: 0644 - notify: Restart Prometheus - loop: - - alert.rules.yml - - django.rules.yml - -- name: Make Prometheus snmp-exporter listen on localhost only - lineinfile: - path: /etc/default/prometheus-snmp-exporter - regexp: '^ARGS=' - line: "ARGS=\"--web.listen-address=127.0.0.1:9116\"" - notify: Restart prometheus-snmp-exporter - -# This file store SNMP OIDs -- name: Configure Prometheus snmp-exporter - template: - src: "prometheus/snmp.yml.j2" - dest: "/etc/prometheus/snmp.yml" - mode: 0600 - owner: prometheus - notify: Restart prometheus-snmp-exporter - -# We don't need to restart Prometheus when updating nodes -- name: Configure Prometheus nodes - copy: - content: "{{ prometheus_targets | to_nice_json }}" - dest: /etc/prometheus/targets.json - mode: 0644 - -# We don't need to restart Prometheus when updating nodes -- name: Configure Prometheus Ubiquity Unifi SNMP devices - copy: - content: "{{ prometheus_unifi_snmp_targets | to_nice_json }}" - dest: /etc/prometheus/targets_unifi_snmp.json - mode: 0644 - -- name: Configure Prometheus UPS SNMP devices - copy: - content: "{{ [{'target | to_nice_json }}" - dest: /etc/prometheus/targets_ups_snmp.json - mode: 0644 - - -- name: Activate prometheus service - systemd: - name: prometheus - enabled: true - state: started - -- name: Indicate role in motd - template: - src: update-motd.d/05-service.j2 - dest: /etc/update-motd.d/05-prometheus - mode: 0755 diff --git a/roles/prometheus/templates/prometheus/alert.rules.yml.j2 b/roles/prometheus/templates/prometheus/alert.rules.yml.j2 index db99ab7..7ae1928 100644 --- a/roles/prometheus/templates/prometheus/alert.rules.yml.j2 +++ b/roles/prometheus/templates/prometheus/alert.rules.yml.j2 @@ -102,7 +102,7 @@ groups: summary: "La tension d'entrée de {{ $labels.instance }} est de {{ $value }}V." - alert: UpsWrongOutputVoltage - expr: (upsOutputVoltage < 225) or (upsOutputVoltage > 235) + expr: (upsOutputVoltage < 220) or (upsOutputVoltage > 240) for: 5m labels: severity: warning diff --git a/test.sh b/test.sh deleted file mode 100755 index 3e77d04..0000000 --- a/test.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -for ip in `cat hosts|grep pacaterie.adm.auro.re`; do - ssh-copy-id $ip -done - From e3ae912f44d6b5f3db16f3b11cedf9178fcc08ad Mon Sep 17 00:00:00 2001 From: pz2891 Date: Sat, 23 Jan 2021 22:10:57 +0100 Subject: [PATCH 027/126] Add prometheus-aurore to monitor all service VM and physical servers. Modifying monitoring role to exclude wireless access points when running the role on all hosts --- hosts | 4 +++- monitoring.yml | 14 +++++++++++++- roles/prometheus/tasks/main.yml | 1 + 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/hosts b/hosts index 6639a21..ad8b045 100644 --- a/hosts +++ b/hosts @@ -29,13 +29,15 @@ stream.adm.auro.re re2o-server.adm.auro.re re2o-ldap.adm.auro.re re2o-db.adm.auro.re -pendragon.adm.auro.re services-bdd-local.adm.auro.re backup.adm.auro.re services-web.adm.auro.re mail.adm.auro.re wikijs.adm.auro.re +prometheus-aurore.adm.auro.re +[aurore_testing_vm] +pendragon.adm.auro.re ############################################################################### # OVH diff --git a/monitoring.yml b/monitoring.yml index fc59738..a5e9a97 100755 --- a/monitoring.yml +++ b/monitoring.yml @@ -78,8 +78,20 @@ roles: - prometheus +- hosts: prometheus-aurore.adm.auro.re + vars: + prometheus_alertmanager: docker-ovh.adm.auro.re:9093 + snmp_unifi_password: "{{ vault_snmp_unifi_password }}" + + # Prometheus targets.json + prometheus_targets: + - targets: | + {{ groups['aurore_pve'] + groups['aurore_vm'] + groups['ovh_pve'] + groups['ovh_vm'] | list | sort }} + roles: + - prometheus + # Monitor all hosts -- hosts: all,!unifi,!ovh +- hosts: all,!edc_unifi,!fleming_unifi,!pacaterie_unifi,!gs_unifi,!rives_unifi,!aurore_testing_vm,!ovh_container roles: - prometheus_node diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml index 38deaa3..036b58c 100644 --- a/roles/prometheus/tasks/main.yml +++ b/roles/prometheus/tasks/main.yml @@ -55,6 +55,7 @@ content: "{{ prometheus_unifi_snmp_targets | to_nice_json }}" dest: /etc/prometheus/targets_unifi_snmp.json mode: 0644 + when : prometheus_unifi_snmp_targets is defined - name: Configure Prometheus UPS SNMP devices copy: From 3d05acbd03d1718af0bdde3cd955684912ba6864 Mon Sep 17 00:00:00 2001 From: pz2891 Date: Tue, 26 Jan 2021 19:18:35 +0100 Subject: [PATCH 028/126] Add Loki server --- hosts | 1 + monitoring.yml | 2 ++ 2 files changed, 3 insertions(+) diff --git a/hosts b/hosts index ad8b045..ec09073 100644 --- a/hosts +++ b/hosts @@ -339,6 +339,7 @@ gf-5-1.borne.auro.re # Les Rives [rives_pve] thor.adm.auro.re +loki.adm.auro.re [rives_vm] dhcp-rives-backup.adm.auro.re diff --git a/monitoring.yml b/monitoring.yml index a5e9a97..38a019d 100755 --- a/monitoring.yml +++ b/monitoring.yml @@ -58,6 +58,8 @@ {{ groups['gs_pve'] + groups['gs_vm'] | list | sort }} prometheus_unifi_snmp_targets: - targets: "{{ groups['gs_unifi'] | list | sort }}" + prometheus_ups_snmp_targets: + - ups-gk-1.ups.auro.re roles: - prometheus From d59cb41d5e99650f5de6b8476572f5ba124cc8b8 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Thu, 28 Jan 2021 03:42:07 +0100 Subject: [PATCH 029/126] Use unattended-upgrades for Debian-Security --- roles/baseconfig/tasks/apt-unattended.yml | 21 ++++++++++++++++++ roles/baseconfig/tasks/main.yml | 3 +++ .../templates/apt/20auto-upgrades.j2 | 4 ++++ .../templates/apt/50unattended-upgrades.j2 | 22 +++++++++++++++++++ 4 files changed, 50 insertions(+) create mode 100644 roles/baseconfig/tasks/apt-unattended.yml create mode 100644 roles/baseconfig/templates/apt/20auto-upgrades.j2 create mode 100644 roles/baseconfig/templates/apt/50unattended-upgrades.j2 diff --git a/roles/baseconfig/tasks/apt-unattended.yml b/roles/baseconfig/tasks/apt-unattended.yml new file mode 100644 index 0000000..9251e17 --- /dev/null +++ b/roles/baseconfig/tasks/apt-unattended.yml @@ -0,0 +1,21 @@ +--- +- name: Install unattended-upgrades + when: ansible_os_family == "Debian" + apt: + name: unattended-upgrades + state: present + update_cache: true + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Configure unattended-upgrades + template: + src: "apt/{{ item }}.j2" + dest: "/etc/apt/apt.conf.d/{{ item }}" + owner: root + mode: u=rw,g=r,o=r + loop: + - 50unattended-upgrades + - 20auto-upgrades +... diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index 2455998..c1d3eda 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -74,6 +74,9 @@ # APT-List Changes : send email with changelog - include_tasks: apt-listchanges.yml +# APT Unattended upgrades +- include_tasks: apt-unattended.yml + # User skeleton - name: Configure user skeleton copy: diff --git a/roles/baseconfig/templates/apt/20auto-upgrades.j2 b/roles/baseconfig/templates/apt/20auto-upgrades.j2 new file mode 100644 index 0000000..a1ba39e --- /dev/null +++ b/roles/baseconfig/templates/apt/20auto-upgrades.j2 @@ -0,0 +1,4 @@ +// {{ ansible_managed }} + +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Unattended-Upgrade "1"; diff --git a/roles/baseconfig/templates/apt/50unattended-upgrades.j2 b/roles/baseconfig/templates/apt/50unattended-upgrades.j2 new file mode 100644 index 0000000..b2932b5 --- /dev/null +++ b/roles/baseconfig/templates/apt/50unattended-upgrades.j2 @@ -0,0 +1,22 @@ +// {{ ansible_managed }} + +Unattended-Upgrade::Origins-Pattern { + "origin=Debian,codename=${distro_codename},label=Debian-Security"; +}; + +Unattended-Upgrade::Package-Blacklist {}; + +Unattended-Upgrade::MinimalSteps "true"; +Unattended-Upgrade::InstallOnShutdown "false"; + +Unattended-Upgrade::Mail "{{ monitoring_mail }}"; +// Unattended-Upgrade::MailOnlyOnError "false"; + +Unattended-Upgrade::Remove-Unused-Kernel-Packages "false"; +Unattended-Upgrade::Remove-New-Unused-Dependencies "false"; +Unattended-Upgrade::Remove-Unused-Dependencies "false"; + +Unattended-Upgrade::Automatic-Reboot "false"; + +Unattended-Upgrade::SyslogEnable "true"; +Unattended-Upgrade::SyslogFacility "daemon"; From 6ec89b88d85a983246391a0f81d51d6082f7c954 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Fri, 29 Jan 2021 19:33:38 +0100 Subject: [PATCH 030/126] Limit floats in alerts to 2 decimal places --- roles/prometheus/templates/prometheus/alert.rules.yml.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/prometheus/templates/prometheus/alert.rules.yml.j2 b/roles/prometheus/templates/prometheus/alert.rules.yml.j2 index 2a10358..6df102f 100644 --- a/roles/prometheus/templates/prometheus/alert.rules.yml.j2 +++ b/roles/prometheus/templates/prometheus/alert.rules.yml.j2 @@ -22,7 +22,7 @@ groups: labels: severity: warning annotations: - summary: "Mémoire libre de {{ $labels.instance }} à {{ $value }}%." + summary: "Mémoire libre de {{ $labels.instance }} à {{ $value | printf "%.2f" }}%." # Alert for out of disk space - alert: OutOfDiskSpace @@ -31,7 +31,7 @@ groups: labels: severity: warning annotations: - summary: "Espace libre de {{ $labels.mountpoint }} sur {{ $labels.instance }} à {{ $value }}%." + summary: "Espace libre de {{ $labels.mountpoint }} sur {{ $labels.instance }} à {{ $value | printf "%.2f" }}%." # Alert for out of inode space on disk - alert: OutOfInodes @@ -49,7 +49,7 @@ groups: labels: severity: warning annotations: - summary: "CPU sur {{ $labels.instance }} à {{ $value }}%." + summary: "CPU sur {{ $labels.instance }} à {{ $value | printf "%.2f" }}%." # Check systemd unit (> buster) - alert: SystemdServiceFailed From a12bcbc97f4e5d1425ce543f5a6dd5417c500506 Mon Sep 17 00:00:00 2001 From: pz2891 Date: Fri, 29 Jan 2021 20:12:14 +0100 Subject: [PATCH 031/126] Correct yamlint --- monitoring.yml | 8 ++++---- roles/prometheus/tasks/main.yml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/monitoring.yml b/monitoring.yml index 38a019d..c31fe86 100755 --- a/monitoring.yml +++ b/monitoring.yml @@ -26,9 +26,9 @@ prometheus_unifi_snmp_targets: - targets: "{{ groups['pacaterie_unifi'] | list | sort }}" prometheus_ups_snmp_targets: - - ups-pn-1.ups.auro.re + - ups-pn-1.ups.auro.re roles: - - prometheus + - prometheus - hosts: prometheus-edc.adm.auro.re vars: @@ -37,7 +37,7 @@ # Prometheus targets.json prometheus_ups_snmp_targets: - - ups-ec-1.ups.auro.re + - ups-ec-1.ups.auro.re prometheus_targets: - targets: | @@ -70,7 +70,7 @@ # Prometheus targets.json prometheus_ups_snmp_targets: - - ups-r3-1.ups.auro.re + - ups-r3-1.ups.auro.re prometheus_targets: - targets: | diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml index 036b58c..8697ef9 100644 --- a/roles/prometheus/tasks/main.yml +++ b/roles/prometheus/tasks/main.yml @@ -55,7 +55,7 @@ content: "{{ prometheus_unifi_snmp_targets | to_nice_json }}" dest: /etc/prometheus/targets_unifi_snmp.json mode: 0644 - when : prometheus_unifi_snmp_targets is defined + when: prometheus_unifi_snmp_targets is defined - name: Configure Prometheus UPS SNMP devices copy: From eecf807b532657f02312e604f9bd7d86ef9fa0de Mon Sep 17 00:00:00 2001 From: pz2891 Date: Fri, 29 Jan 2021 20:15:21 +0100 Subject: [PATCH 032/126] Delte main.yml.save --- roles/baseconfig/tasks/main.yml.save | 89 ---------------------------- 1 file changed, 89 deletions(-) delete mode 100644 roles/baseconfig/tasks/main.yml.save diff --git a/roles/baseconfig/tasks/main.yml.save b/roles/baseconfig/tasks/main.yml.save deleted file mode 100644 index d73cf07..0000000 --- a/roles/baseconfig/tasks/main.yml.save +++ /dev/null @@ -1,89 +0,0 @@ ---- -# Should contain only small tools that everyone can't live without -- name: Install basic tools - when: ansible_os_family == "Debian" - apt: - name: - - sudo - - molly-guard # prevent reboot - - ntp # network time sync - - apt # better than apt-get - - nano # for vulcain - - vim # better than nano - - emacs-nox # for maman - - htop # better than top - - zsh # to be able to ssh @erdnaxe - - fish # to motivate @edpibu - - oidentd # postgresql identification - - aptitude # nice to have for Ansible - - acl # advanced ACL - - iotop # monitor i/o - - tree # create a graphical tree of files - - bash-completion # because bash - - git # code versioning - - less # i like cats - - screen # Vulcain asked for this - - lsb-release - update_cache: true - register: apt_result - retries: 3 - until: apt_result is succeeded - -# Pimp my server -- name: Customize motd - copy: - src: "update-motd.d/{{ item }}" - dest: "/etc/update-motd.d/{{ item }}" - mode: 0755 - loop: - - 00-logo - - 10-uname - -- name: Remove Debian warranty motd - file: - path: /etc/motd - state: absent - -# Configure APT mirrors on Debian Stretch -- name: Configure APT mirrors - when: - - ansible_distribution == 'Debian' - - ansible_distribution_release == 'stretch' - template: - src: apt/sources.list.j2 - dest: /etc/apt/sources.list - mode: 0644 - -# Patriotisme -- name: Ensure French UTF-8 locale exists - locale_gen: - name: fr_FR.UTF-8 - state: present - -# Fix LC_CTYPE="C" -- name: Select default locale - debconf: - name: locales - question: locales/default_environment_locale - value: fr_FR.UTF-8 - vtype: select - notify: Reconfigure locales - -# APT-List Changes : send email with changelog -- include_tasks: apt-listchanges.yml - -# User skeleton -- name: Configure user skeleton - copy: - src: "skel/dot_{{ item }}" - dest: "/etc/skel/.{{ item }}" - mode: 0644 - loop: - - zshrc - - zshrc.local - -- name: Configure resolvconf - template: - src: resolv.conf - dest: /etc/resolv.conf - mode: 0644 From 3eb48edccdd72a93bd8bc27f669e6c8345d00cc9 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Tue, 2 Feb 2021 23:17:47 +0100 Subject: [PATCH 033/126] Tmux everywhere Signed-off-by: Yohann D'ANELLO --- roles/baseconfig/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml index c1d3eda..0c13978 100644 --- a/roles/baseconfig/tasks/main.yml +++ b/roles/baseconfig/tasks/main.yml @@ -23,6 +23,7 @@ - oidentd # postgresql identification - screen # Vulcain asked for this - sudo + - tmux # For shirenn - tree # create a graphical tree of files - vim # better than nano - zsh # to be able to ssh @erdnaxe From 7cdef7ee9651e2838b802d718e5f1d376f53be67 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 23 Jan 2021 17:19:50 +0100 Subject: [PATCH 034/126] Fix: keep the logs for 90 days --- roles/logrotate/templates/logrotate.d/rsyslog.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/logrotate/templates/logrotate.d/rsyslog.j2 b/roles/logrotate/templates/logrotate.d/rsyslog.j2 index beab470..f47e725 100644 --- a/roles/logrotate/templates/logrotate.d/rsyslog.j2 +++ b/roles/logrotate/templates/logrotate.d/rsyslog.j2 @@ -26,7 +26,7 @@ /var/log/debug /var/log/messages { - rotate 1 + rotate 90 daily missingok notifempty From 5fc2d0a3f9f30aae5a6699a0e62584e6e2f75c46 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sun, 24 Jan 2021 00:09:48 +0100 Subject: [PATCH 035/126] Ajout d'accueil dans keepalived --- roles/router/templates/keepalived.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/router/templates/keepalived.conf b/roles/router/templates/keepalived.conf index cd217f3..45f5661 100644 --- a/roles/router/templates/keepalived.conf +++ b/roles/router/templates/keepalived.conf @@ -50,6 +50,9 @@ vrrp_instance VI_ROUT_{{ apartment_block }}_IPv4 { # Wifi 10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global + + # Accueil + 10.{{ subnet_ids.users_accueil }}.0.254/16 brd 10.{{ subnet_ids.users_accueil }}.255.255 dev ens23 scope global } From 5a09b77070d26d70d6d43afbe547892939b2e1d2 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sun, 24 Jan 2021 01:30:31 +0100 Subject: [PATCH 036/126] Resolve DNS for the accueil vlan Signed-off-by: Yohann D'ANELLO --- roles/unbound/templates/recursive.conf.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index efdebe1..74d77d9 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -23,12 +23,14 @@ server: interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }} + interface: 10.{{ subnet_ids.users_accueil }}.0.{{ dns_host_suffix }} # IPv6 interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }} interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }} interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }} + interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_accueil }}::0:{{ dns_host_suffix }} # By default, anything other than localhost is refused. @@ -36,6 +38,7 @@ server: access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow + access-control: 10.{{ subnet_ids.users_accueil }}.0.0/16 allow access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :) num-threads: {{ ansible_processor_vcpus }} From 9af9a7bab8f9c1b7b5fde963c8b8a4a9827f5a51 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sun, 24 Jan 2021 11:38:52 +0100 Subject: [PATCH 037/126] Redirect the proxy IP address to intranet.auro.re by default Signed-off-by: Yohann D'ANELLO --- host_vars/proxy.adm.auro.re.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/host_vars/proxy.adm.auro.re.yml b/host_vars/proxy.adm.auro.re.yml index b8fb2c3..04184fc 100644 --- a/host_vars/proxy.adm.auro.re.yml +++ b/host_vars/proxy.adm.auro.re.yml @@ -33,7 +33,7 @@ nginx: redirect_sites: - from: 45.66.111.61 - to: auro.re + to: intranet.auro.re reverseproxy_sites: - from: re2o.auro.re From 89ebbd423e3d3f128766616776962af8f8a024e6 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sun, 24 Jan 2021 11:44:30 +0100 Subject: [PATCH 038/126] Use the local firewall repository Signed-off-by: Yohann D'ANELLO --- roles/router/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/router/tasks/main.yml b/roles/router/tasks/main.yml index 2014572..a0b8805 100644 --- a/roles/router/tasks/main.yml +++ b/roles/router/tasks/main.yml @@ -34,7 +34,7 @@ import_role: name: re2o-service vars: - service_repo: https://gitlab.federez.net/aurore/aurore-firewall.git + service_repo: https://gitea.auro.re/Aurore/aurore-firewall.git service_name: aurore-firewall service_version: aurore service_config: From a7b073e1cc8cf92a1bb2741853a14b4c53e30c35 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sun, 24 Jan 2021 12:04:21 +0100 Subject: [PATCH 039/126] Add captive portal firewall configuration Signed-off-by: Yohann D'ANELLO --- roles/router/templates/firewall_config.py | 31 ++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/roles/router/templates/firewall_config.py b/roles/router/templates/firewall_config.py index 4f6b755..68f66b2 100644 --- a/roles/router/templates/firewall_config.py +++ b/roles/router/templates/firewall_config.py @@ -25,13 +25,14 @@ ### Give me a role # previously: routeur4 = routeur IPv4 -role = ['routeur'] +role = ['routeur', 'portail'] ### Specify each interface role interfaces_type = { - 'routable' : ['ens20', 'ens21'], + 'routable' : ['ens20', 'ens21', 'ens23'], + 'routable-portail' : ['ens23'], 'sortie' : ['ens19'], 'admin' : ['ens18'] } @@ -61,5 +62,29 @@ nat = [ apartment_block_id }}', '10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}' } - } + }, + { + 'name': 'Accueil', + 'ip_sources': '10.{{ subnet_ids.users_accueil }}.0.0/16', + 'extra_nat': { + '10.{{ subnet_ids.users_accueil }}.0.0/16': '45.66.108.25{{ apartment_block_id }}' + }, + }, ] + +portail = { + "authorized_hosts": { + "tcp": { + "45.66.111.61": ["80", "443"], + "92.222.211.195": ["80", "443"] + }, + "udp": {} + }, + "ip_redirect": { + "0.0.0.0/0": { + "tcp": { + "45.66.111.61": ["80", "443"] + } + } + } +} From e02670afb0e3919a3135f9595e4f4960402a1755 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sun, 24 Jan 2021 14:28:31 +0100 Subject: [PATCH 040/126] Les caches unbound renvoie les addresses en 10/8 --- roles/unbound/templates/recursive.conf.j2 | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index 74d77d9..6956ae5 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -43,8 +43,6 @@ server: num-threads: {{ ansible_processor_vcpus }} - private-address: 10.0.0.0/8 - # The host cache TTL affects blacklisting of supposedly bogus hosts. # The default was 900 (15 minutes). infra-host-ttl: 60 From 6df41d16b52e5c9c4539074cb55f4a7d0228680b Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sun, 24 Jan 2021 15:50:40 +0100 Subject: [PATCH 041/126] Add portail VM Signed-off-by: Yohann D'ANELLO --- hosts | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts b/hosts index eec54a0..3f03ed2 100644 --- a/hosts +++ b/hosts @@ -35,6 +35,7 @@ services-web.adm.auro.re mail.adm.auro.re wikijs.adm.auro.re prometheus-aurore.adm.auro.re +portail.adm.auro.re [aurore_testing_vm] pendragon.adm.auro.re From 9bd06520fb8671bbcded98a24f345b5988dfe0b3 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sun, 24 Jan 2021 21:20:53 +0100 Subject: [PATCH 042/126] Add reverse-proxy for Re2o on the portal VM Signed-off-by: Yohann D'ANELLO --- host_vars/portail.adm.auro.re.yml | 40 +++++++++++++++++++ .../nginx/sites-available/redirect.j2 | 8 ++-- .../nginx/sites-available/reverseproxy.j2 | 6 +++ services_web.yml | 2 +- 4 files changed, 51 insertions(+), 5 deletions(-) create mode 100644 host_vars/portail.adm.auro.re.yml diff --git a/host_vars/portail.adm.auro.re.yml b/host_vars/portail.adm.auro.re.yml new file mode 100644 index 0000000..65aea34 --- /dev/null +++ b/host_vars/portail.adm.auro.re.yml @@ -0,0 +1,40 @@ +--- +certbot: + domains: + - portail.auro.re + mail: tech.aurore@lists.crans.org + certname: auro.re + +nginx: + ssl: + cert: /etc/letsencrypt/live/auro.re/fullchain.pem + cert_key: /etc/letsencrypt/live/auro.re/privkey.pem + trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem + + redirect_dnames: {} + + redirect_tcp: {} + + redirect_sites: + - from: portail.adm.auro.re + to: portail.auro.re + norequesturi: true + + - from: 10.128.0.247 + to: portail.auro.re + norequesturi: true + + - from: 45.66.111.247 + to: portail.auro.re + norequesturi: true + + reverseproxy_sites: + - from: portail.auro.re + to: 10.128.0.20 + custom_args: + - "allow 45.66.108.251" + - "allow 45.66.108.252" + - "allow 45.66.108.253" + - "allow 45.66.108.254" + - "allow 45.66.108.255" + - "deny all" diff --git a/roles/nginx_reverseproxy/templates/nginx/sites-available/redirect.j2 b/roles/nginx_reverseproxy/templates/nginx/sites-available/redirect.j2 index 28e9b7d..9b0e8ca 100644 --- a/roles/nginx_reverseproxy/templates/nginx/sites-available/redirect.j2 +++ b/roles/nginx_reverseproxy/templates/nginx/sites-available/redirect.j2 @@ -9,7 +9,7 @@ server { server_name {{ site.from }}; location / { - return 302 http://{{ site.to }}$request_uri; + return 302 http://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %}; } } @@ -24,7 +24,7 @@ server { include "/etc/nginx/snippets/options-ssl.conf"; location / { - return 302 https://{{ site.to }}$request_uri; + return 302 https://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %}; } } @@ -43,7 +43,7 @@ server { server_name {{ from }}; location / { - return 302 http://{{ site.to }}$request_uri; + return 302 http://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %}; } } @@ -58,7 +58,7 @@ server { include "/etc/nginx/snippets/options-ssl.conf"; location / { - return 302 https://{{ site.to }}$request_uri; + return 302 https://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %}; } } diff --git a/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy.j2 b/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy.j2 index d29d13c..9c8c152 100644 --- a/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy.j2 +++ b/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy.j2 @@ -47,6 +47,12 @@ server { set_real_ip_from 2a0c:700:0:2::/64; real_ip_header P-Real-Ip; +{% if site.custom_args is defined -%} +{% for arg in site.custom_args %} + {{ arg }}; +{% endfor %} +{% endif %} + location / { proxy_pass http://{{ site.to }}; include "/etc/nginx/snippets/options-proxypass.conf"; diff --git a/services_web.yml b/services_web.yml index 6bc6a6d..73b900b 100755 --- a/services_web.yml +++ b/services_web.yml @@ -11,7 +11,7 @@ - passbolt # Deploy reverse proxy -- hosts: proxy*.adm.auro.re +- hosts: portail.adm.auro.re,proxy*.adm.auro.re roles: - certbot - nginx_reverseproxy From ba9e60dba88918f70af5759bc02be26fffb59d99 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Thu, 28 Jan 2021 22:08:48 +0100 Subject: [PATCH 043/126] Update the nginx configuration of the captive portal Signed-off-by: Yohann D'ANELLO --- host_vars/portail.adm.auro.re.yml | 41 ++++++++++++++++++++----------- 1 file changed, 27 insertions(+), 14 deletions(-) diff --git a/host_vars/portail.adm.auro.re.yml b/host_vars/portail.adm.auro.re.yml index 65aea34..8af0987 100644 --- a/host_vars/portail.adm.auro.re.yml +++ b/host_vars/portail.adm.auro.re.yml @@ -16,25 +16,38 @@ nginx: redirect_tcp: {} redirect_sites: - - from: portail.adm.auro.re - to: portail.auro.re + - from: 10.13.0.247 + to: portail-fleming.auro.re norequesturi: true - - from: 10.128.0.247 - to: portail.auro.re + - from: 10.23.0.247 + to: portail-.auro.re norequesturi: true - - from: 45.66.111.247 - to: portail.auro.re + - from: 10.33.0.247 + to: portail-rives.auro.re + norequesturi: true + + - from: 10.43.0.247 + to: portail-edc.auro.re + norequesturi: true + + - from: 10.53.0.247 + to: portail-gs.auro.re norequesturi: true reverseproxy_sites: - - from: portail.auro.re + - from: portail-fleming.auro.re + to: 10.128.0.20 + + - from: portail-pacaterie.auro.re + to: 10.128.0.20 + + - from: portail-rives.auro.re + to: 10.128.0.20 + + - from: portail-edc.auro.re + to: 10.128.0.20 + + - from: portail-gs.auro.re to: 10.128.0.20 - custom_args: - - "allow 45.66.108.251" - - "allow 45.66.108.252" - - "allow 45.66.108.253" - - "allow 45.66.108.254" - - "allow 45.66.108.255" - - "deny all" From 154cbedec214b61e012a94e7114f57f01e6cf284 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Mon, 1 Feb 2021 15:50:32 +0100 Subject: [PATCH 044/126] Deploy firewall config for the captive portal Signed-off-by: Yohann D'ANELLO --- roles/router/templates/firewall_config.py | 42 ++++++++++++++--------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/roles/router/templates/firewall_config.py b/roles/router/templates/firewall_config.py index 68f66b2..6909b85 100644 --- a/roles/router/templates/firewall_config.py +++ b/roles/router/templates/firewall_config.py @@ -25,14 +25,13 @@ ### Give me a role # previously: routeur4 = routeur IPv4 -role = ['routeur', 'portail'] +role = ['routeur'] ### Specify each interface role interfaces_type = { 'routable' : ['ens20', 'ens21', 'ens23'], - 'routable-portail' : ['ens23'], 'sortie' : ['ens19'], 'admin' : ['ens18'] } @@ -67,24 +66,35 @@ nat = [ 'name': 'Accueil', 'ip_sources': '10.{{ subnet_ids.users_accueil }}.0.0/16', 'extra_nat': { - '10.{{ subnet_ids.users_accueil }}.0.0/16': '45.66.108.25{{ apartment_block_id }}' + '10.{{ subnet_ids.users_accueil }}.1.0/24': '45.66.108.25{{ + apartment_block_id }}', + '10.{{ subnet_ids.users_accueil }}.2.0/24': '45.66.108.25{{ apartment_block_id }}' }, + 'extra_nat_group': 'accueil_ens23_allowed', }, ] -portail = { - "authorized_hosts": { - "tcp": { - "45.66.111.61": ["80", "443"], - "92.222.211.195": ["80", "443"] - }, - "udp": {} - }, - "ip_redirect": { - "0.0.0.0/0": { +# ATTENTION: on doit avoir retry ≥ grace +# ATTENTION: il faut que ip_redirect gère tous les ports +# autorisés dans le profile re2o, sinon on laisse sortir +# du trafic +accueils = [ + { + 'iface': 'ens23', + 'grace_period': 1800, + 'retry_period': 86400, + 'ip_sources': [ + '10.{{ subnet_ids.users_accueil }}.1.0/24', + '10.{{ subnet_ids.users_accueil }}.2.0/24', + ], + 'ip_redirect': { "tcp": { - "45.66.111.61": ["80", "443"] + "10.{{ subnet_ids.users_accueil }}.0.247": ["80", "443"], } - } + }, + 'triggers': [ + ('4', 'tcp', '46.255.53.35', 443), # ComNPay + ('4', 'tcp', '46.255.53.35', 80), + ] } -} +] From 889cb764c138887bbeb5d5e564f3c45eabc947b2 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Mon, 1 Feb 2021 17:07:10 +0100 Subject: [PATCH 045/126] Clone certbot role from Crans Signed-off-by: Yohann D'ANELLO --- group_vars/certbot.yml | 8 ++++++++ roles/certbot/tasks/main.yml | 17 +++++++++++++++-- .../letsencrypt/conf.d/certname.ini.j2 | 9 +++++++-- .../templates/letsencrypt/rfc2136.ini.j2 | 7 +++++++ 4 files changed, 37 insertions(+), 4 deletions(-) create mode 100644 group_vars/certbot.yml create mode 100644 roles/certbot/templates/letsencrypt/rfc2136.ini.j2 diff --git a/group_vars/certbot.yml b/group_vars/certbot.yml new file mode 100644 index 0000000..011aa68 --- /dev/null +++ b/group_vars/certbot.yml @@ -0,0 +1,8 @@ +--- +glob_certbot: + dns_rfc2136_server: '10.128.0.30' + dns_rfc2136_name: certbot_challenge. + dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}" + mail: tech.aurore@lists.crans.org + certname: auro.re + domains: "auro.re" diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index cbce286..549e7a2 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -1,10 +1,10 @@ --- -- name: Install certbot and nginx plugin +- name: Install certbot and RFC2136 plugin apt: update_cache: true name: - certbot - - python3-certbot-nginx + - python3-certbot-dns-rfc2136 register: pkg_result retries: 3 until: pkg_result is succeeded @@ -15,6 +15,19 @@ state: directory mode: 0755 +- name: Lookup DNS masters IPv4 + set_fact: + dns_masters_ipv4: + - "10.128.0.30" + cacheable: true + +- name: Add DNS credentials + template: + src: letsencrypt/rfc2136.ini.j2 + dest: /etc/letsencrypt/rfc2136.ini + mode: 0600 + owner: root + - name: Add Certbot configuration template: src: "letsencrypt/conf.d/certname.ini.j2" diff --git a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 index c23d930..88512d2 100644 --- a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 +++ b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 @@ -15,8 +15,13 @@ email = {{ certbot.mail }} # Uncomment to use a text interface instead of ncurses text = True -# Use nginx challenge -authenticator = nginx +# Yes I want to sell my soul and my guinea pig. +agree-tos = True + +# Use DNS-01 challenge +authenticator = dns-rfc2136 +dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini +dns-rfc2136-propagation-seconds = 30 # Wildcard the domain cert-name = {{ certbot.certname }} diff --git a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 new file mode 100644 index 0000000..948f6a1 --- /dev/null +++ b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 @@ -0,0 +1,7 @@ +{{ ansible_managed | comment(decoration='# ') }} + +dns_rfc2136_server = {{ certbot.dns_rfc2136_server }} +dns_rfc2136_port = 53 +dns_rfc2136_name = {{ certbot.dns_rfc2136_name }} +dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }} +dns_rfc2136_algorithm = HMAC-SHA512 From 7e4a2d20c01157247d3abf124dd2203785580c7d Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Mon, 1 Feb 2021 17:07:23 +0100 Subject: [PATCH 046/126] Clone nginx role from Crans Signed-off-by: Yohann D'ANELLO --- group_vars/nginx.yml | 24 ++++ roles/nginx/handlers/main.yml | 5 + roles/nginx/tasks/main.yml | 121 ++++++++++++++++++ roles/nginx/templates/letsencrypt/dhparam.j2 | 8 ++ roles/nginx/templates/nginx/passwd.j2 | 4 + .../nginx/sites-available/redirect.j2 | 67 ++++++++++ .../nginx/sites-available/reverseproxy.j2 | 56 ++++++++ .../reverseproxy_redirect_dname.j2 | 37 ++++++ .../nginx/sites-available/service.j2 | 114 +++++++++++++++++ .../templates/nginx/snippets/fastcgi.conf.j2 | 18 +++ .../nginx/snippets/options-proxypass.conf.j2 | 19 +++ .../nginx/snippets/options-ssl.conf.j2 | 17 +++ .../templates/update-motd.d/05-service.j2 | 3 + roles/nginx/templates/www/html/401.html.j2 | 18 +++ roles/nginx/templates/www/html/50x.html.j2 | 63 +++++++++ roles/nginx/templates/www/html/robots.txt.j2 | 4 + 16 files changed, 578 insertions(+) create mode 100644 group_vars/nginx.yml create mode 100644 roles/nginx/handlers/main.yml create mode 100644 roles/nginx/tasks/main.yml create mode 100644 roles/nginx/templates/letsencrypt/dhparam.j2 create mode 100644 roles/nginx/templates/nginx/passwd.j2 create mode 100644 roles/nginx/templates/nginx/sites-available/redirect.j2 create mode 100644 roles/nginx/templates/nginx/sites-available/reverseproxy.j2 create mode 100644 roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 create mode 100644 roles/nginx/templates/nginx/sites-available/service.j2 create mode 100644 roles/nginx/templates/nginx/snippets/fastcgi.conf.j2 create mode 100644 roles/nginx/templates/nginx/snippets/options-proxypass.conf.j2 create mode 100644 roles/nginx/templates/nginx/snippets/options-ssl.conf.j2 create mode 100755 roles/nginx/templates/update-motd.d/05-service.j2 create mode 100644 roles/nginx/templates/www/html/401.html.j2 create mode 100644 roles/nginx/templates/www/html/50x.html.j2 create mode 100644 roles/nginx/templates/www/html/robots.txt.j2 diff --git a/group_vars/nginx.yml b/group_vars/nginx.yml new file mode 100644 index 0000000..eef80da --- /dev/null +++ b/group_vars/nginx.yml @@ -0,0 +1,24 @@ +--- +glob_nginx: + contact: tech.aurore@lists.crans.org + who: "L'équipe technique d'Aurore" + service_name: service + ssl: + cert: /etc/letsencrypt/live/auro.re/fullchain.pem + cert_key: /etc/letsencrypt/live/auro.re/privkey.pem + trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem + servers: + - ssl: false + server_name: + - "default" + - "_" + root: "/var/www/html" + locations: + - filter: "/" + params: [] + upstreams: [] + + auth_passwd: [] + default_server: + default_ssl_server: + deploy_robots_file: false diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml new file mode 100644 index 0000000..6dfcdd7 --- /dev/null +++ b/roles/nginx/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Reload nginx + systemd: + name: nginx + state: reloaded diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml new file mode 100644 index 0000000..4d4179c --- /dev/null +++ b/roles/nginx/tasks/main.yml @@ -0,0 +1,121 @@ +--- +- name: Install NGINX + apt: + update_cache: true + name: nginx + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Copy snippets + template: + src: "nginx/snippets/{{ item }}.j2" + dest: "/etc/nginx/snippets/{{ item }}" + owner: root + group: root + mode: 0644 + loop: + - options-ssl.conf + - options-proxypass.conf + +- name: Copy dhparam + template: + src: letsencrypt/dhparam.j2 + dest: /etc/letsencrypt/dhparam + owner: root + group: root + mode: 0644 + +- name: Disable default site + file: + dest: "/etc/nginx/sites-enabled/default" + state: absent + +- name: Copy reverse proxy sites + when: nginx.reverseproxy_sites is defined or nginx.redirect_sites is defined + template: + src: "nginx/sites-available/{{ item }}.j2" + dest: "/etc/nginx/sites-available/{{ item }}" + owner: root + group: root + mode: 0644 + loop: + - reverseproxy + - reverseproxy_redirect_dname + - redirect + notify: Reload nginx + +- name: Activate reverse proxy sites + when: nginx.reverseproxy_sites is defined or nginx.redirect_sites is defined + file: + src: "/etc/nginx/sites-available/{{ item }}" + dest: "/etc/nginx/sites-enabled/{{ item }}" + owner: root + group: root + state: link + loop: + - reverseproxy + - reverseproxy_redirect_dname + - redirect + notify: Reload nginx + ignore_errors: "{{ ansible_check_mode }}" + +- name: Copy service nginx configuration + when: nginx.servers is defined and nginx.servers|length > 0 + template: + src: "nginx/sites-available/service.j2" + dest: "/etc/nginx/sites-available/{{ nginx.service_name }}" + owner: root + group: root + mode: 0644 + notify: Reload nginx + +- name: Activate local nginx service site + when: nginx.servers is defined and nginx.servers|length > 0 + file: + src: "/etc/nginx/sites-available/{{ nginx.service_name }}" + dest: "/etc/nginx/sites-enabled/{{ nginx.service_name }}" + owner: root + group: root + state: link + notify: Reload nginx + ignore_errors: "{{ ansible_check_mode }}" + +- name: Copy 50x error page + template: + src: www/html/50x.html.j2 + dest: /var/www/html/50x.html + owner: www-data + group: www-data + mode: 0644 + +- name: Copy robots.txt file + when: nginx.deploy_robots_file + template: + src: www/html/robots.txt.j2 + dest: /var/www/html/robots.txt + owner: www-data + group: www-data + mode: 0644 + +- name: Indicate role in motd + template: + src: update-motd.d/05-service.j2 + dest: /etc/update-motd.d/05-nginx + mode: 0755 + +- name: Install passwords + when: nginx.auth_passwd|length > 0 + template: + src: nginx/passwd.j2 + dest: /etc/nginx/passwd + mode: 0644 + +- name: Copy 401 error page + when: nginx.auth_passwd|length > 0 + template: + src: www/html/401.html.j2 + dest: /var/www/html/401.html + owner: www-data + group: www-data + mode: 0644 diff --git a/roles/nginx/templates/letsencrypt/dhparam.j2 b/roles/nginx/templates/letsencrypt/dhparam.j2 new file mode 100644 index 0000000..9b182b7 --- /dev/null +++ b/roles/nginx/templates/letsencrypt/dhparam.j2 @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- diff --git a/roles/nginx/templates/nginx/passwd.j2 b/roles/nginx/templates/nginx/passwd.j2 new file mode 100644 index 0000000..6e61ce2 --- /dev/null +++ b/roles/nginx/templates/nginx/passwd.j2 @@ -0,0 +1,4 @@ +# {{ ansible_managed }} +{% for user, hash in nginx.auth_passwd.items() -%} +{{ user }}: {{ hash }} +{% endfor -%} diff --git a/roles/nginx/templates/nginx/sites-available/redirect.j2 b/roles/nginx/templates/nginx/sites-available/redirect.j2 new file mode 100644 index 0000000..28e9b7d --- /dev/null +++ b/roles/nginx/templates/nginx/sites-available/redirect.j2 @@ -0,0 +1,67 @@ +# {{ ansible_managed }} + +{% for site in nginx.redirect_sites %} +# Redirect http://{{ site.from }} to http://{{ site.to }} +server { + listen 80; + listen [::]:80; + + server_name {{ site.from }}; + + location / { + return 302 http://{{ site.to }}$request_uri; + } +} + +# Redirect https://{{ site.from }} to https://{{ site.to }} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ site.from }}; + + # SSL common conf + include "/etc/nginx/snippets/options-ssl.conf"; + + location / { + return 302 https://{{ site.to }}$request_uri; + } +} + +{% endfor %} + +{# Also redirect for DNAMEs #} +{% for dname in nginx.redirect_dnames %} +{% for site in nginx.redirect_sites %} +{% set from = site.from | regex_replace('crans.org', dname) %} +{% if from != site.from %} +# Redirect http://{{ from }} to http://{{ site.to }} +server { + listen 80; + listen [::]:80; + + server_name {{ from }}; + + location / { + return 302 http://{{ site.to }}$request_uri; + } +} + +# Redirect https://{{ from }} to https://{{ site.to }} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ from }}; + + # SSL common conf + include "/etc/nginx/snippets/options-ssl.conf"; + + location / { + return 302 https://{{ site.to }}$request_uri; + } +} + +{% endif %} +{% endfor %} +{% endfor %} diff --git a/roles/nginx/templates/nginx/sites-available/reverseproxy.j2 b/roles/nginx/templates/nginx/sites-available/reverseproxy.j2 new file mode 100644 index 0000000..d29d13c --- /dev/null +++ b/roles/nginx/templates/nginx/sites-available/reverseproxy.j2 @@ -0,0 +1,56 @@ +# {{ ansible_managed }} + +# Automatic Connection header for WebSocket support +# See http://nginx.org/en/docs/http/websocket.html +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +{% for site in nginx.reverseproxy_sites %} +# Redirect http://{{ site.from }} to https://{{ site.from }} +server { + listen 80; + listen [::]:80; + + server_name {{ site.from }}; + + location / { + return 302 https://$host$request_uri; + } +} + +# Reverse proxify https://{{ site.from }} to http://{{ site.to }} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ site.from }}; + + # SSL common conf + include "/etc/nginx/snippets/options-ssl.conf"; + + # Log into separate log files + access_log /var/log/nginx/{{ site.from }}.log; + error_log /var/log/nginx/{{ site.from }}_error.log; + + # Keep the TCP connection open a bit for faster browsing + keepalive_timeout 70; + + # Custom error page + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /var/www/html; + } + + set_real_ip_from 10.231.136.0/24; + set_real_ip_from 2a0c:700:0:2::/64; + real_ip_header P-Real-Ip; + + location / { + proxy_pass http://{{ site.to }}; + include "/etc/nginx/snippets/options-proxypass.conf"; + } +} + +{% endfor %} diff --git a/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 b/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 new file mode 100644 index 0000000..4edda25 --- /dev/null +++ b/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 @@ -0,0 +1,37 @@ +# {{ ansible_managed }} + +{% for dname in nginx.redirect_dnames %} +{% for site in nginx.reverseproxy_sites %} +{% set from = site.from | regex_replace('crans.org', dname) %} +{% set to = site.from %} +{% if from != site.from %} +# Redirect http://{{ from }} to http://{{ to }} +server { + listen 80; + listen [::]:80; + + server_name {{ from }}; + + location / { + return 302 http://{{ to }}$request_uri; + } +} + +# Redirect https://{{ from }} to https://{{ to }} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ from }}; + + # SSL common conf + include "/etc/nginx/snippets/options-ssl.conf"; + + location / { + return 302 https://{{ to }}$request_uri; + } +} + +{% endif %} +{% endfor %} +{% endfor %} diff --git a/roles/nginx/templates/nginx/sites-available/service.j2 b/roles/nginx/templates/nginx/sites-available/service.j2 new file mode 100644 index 0000000..3d9db5d --- /dev/null +++ b/roles/nginx/templates/nginx/sites-available/service.j2 @@ -0,0 +1,114 @@ +# {{ ansible_managed }} + +# Automatic Connection header for WebSocket support +# See http://nginx.org/en/docs/http/websocket.html +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +{% for upstream in nginx.upstreams -%} +upstream {{ upstream.name }} { + # Path of the server + server {{ upstream.server }}; +} +{% endfor -%} + +{% if nginx.default_ssl_server -%} +# Redirect all services to the main site +server { + listen 443 default_server ssl; + listen [::]:443 default_server ssl; + include "/etc/nginx/snippets/options-ssl.conf"; + + server_name _; + charset utf-8; + + # Hide Nginx version + server_tokens off; + + location / { + return 302 https://{{ nginx.default_ssl_server }}$request_uri; + } +} +{% endif -%} + +{% if nginx.default_server -%} +# Redirect all services to the main site +server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name _; + charset utf-8; + + # Hide Nginx version + server_tokens off; + + location / { + return 302 http://{{ nginx.default_server }}$request_uri; + } +} +{% endif -%} + +{% for server in nginx.servers %} +{% if server.ssl is defined and server.ssl -%} +# Redirect HTTP to HTTPS +server { + listen 80; + listen [::]:80; + + server_name {{ server.server_name|join(" ") }}; + charset utf-8; + + # Hide Nginx version + server_tokens off; + + location / { + return 302 https://$host$request_uri; + } +} +{% endif -%} + +server { + {% if server.ssl is defined and server.ssl -%} + listen 443 ssl; + listen [::]:443 ssl; + include "/etc/nginx/snippets/options-ssl.conf"; + {% else -%} + listen 80; + listen [::]:80; + {% endif -%} + + server_name {{ server.server_name|join(" ") }}; + charset utf-8; + + # Hide Nginx version + server_tokens off; + + {% if server.root is defined -%} + root {{ server.root }}; + {% endif -%} + {% if server.index is defined -%} + index {{ server.index|join(" ") }}; + {% endif -%} + + {% if server.access_log is defined -%} + access_log {{ server.access_log }}; + {% endif -%} + {% if server.error_log is defined -%} + error_log {{ server.error_log }}; + {% endif -%} + + {% if server.locations is defined -%} + + {% for location in server.locations -%} + location {{ location.filter }} { + {% for param in location.params -%} + {{ param }}; + {% endfor -%} + } + {% endfor -%} +{% endif -%} +} +{% endfor %} diff --git a/roles/nginx/templates/nginx/snippets/fastcgi.conf.j2 b/roles/nginx/templates/nginx/snippets/fastcgi.conf.j2 new file mode 100644 index 0000000..0b21030 --- /dev/null +++ b/roles/nginx/templates/nginx/snippets/fastcgi.conf.j2 @@ -0,0 +1,18 @@ +# {{ ansible_managed }} + +# regex to split $uri to $fastcgi_script_name and $fastcgi_path +fastcgi_split_path_info (^/[^/]*)(.*)$; + +# check that the PHP script exists before passing it +try_files $fastcgi_script_name =404; + +# Bypass the fact that try_files resets $fastcgi_path_info +# see: http://trac.nginx.org/nginx/ticket/321 +set $path_info $fastcgi_path_info; +fastcgi_param PATH_INFO $path_info; + +# Let NGINX handle errors +fastcgi_intercept_errors on; + +include /etc/nginx/fastcgi.conf; +fastcgi_pass unix:/var/run/fcgiwrap.socket; diff --git a/roles/nginx/templates/nginx/snippets/options-proxypass.conf.j2 b/roles/nginx/templates/nginx/snippets/options-proxypass.conf.j2 new file mode 100644 index 0000000..9515d81 --- /dev/null +++ b/roles/nginx/templates/nginx/snippets/options-proxypass.conf.j2 @@ -0,0 +1,19 @@ +# {{ ansible_managed }} + +proxy_redirect off; +proxy_set_header Host $host; + +# Pass the real client IP +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +# Tell proxified server that we are HTTPS, fix Wordpress +proxy_set_header X-Forwarded-Proto https; + +# WebSocket support +proxy_http_version 1.1; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $connection_upgrade; + +# For Owncloud WebDav +client_max_body_size 10G; diff --git a/roles/nginx/templates/nginx/snippets/options-ssl.conf.j2 b/roles/nginx/templates/nginx/snippets/options-ssl.conf.j2 new file mode 100644 index 0000000..fee51c6 --- /dev/null +++ b/roles/nginx/templates/nginx/snippets/options-ssl.conf.j2 @@ -0,0 +1,17 @@ +# {{ ansible_managed }} + +ssl_certificate {{ nginx.ssl.cert }}; +ssl_certificate_key {{ nginx.ssl.cert_key }}; +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; +ssl_session_tickets off; +ssl_dhparam /etc/letsencrypt/dhparam; +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +ssl_prefer_server_ciphers off; + +# Enable OCSP Stapling, point to certificate chain +ssl_stapling on; +ssl_stapling_verify on; +ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + diff --git a/roles/nginx/templates/update-motd.d/05-service.j2 b/roles/nginx/templates/update-motd.d/05-service.j2 new file mode 100755 index 0000000..fdff0b8 --- /dev/null +++ b/roles/nginx/templates/update-motd.d/05-service.j2 @@ -0,0 +1,3 @@ +#!/usr/bin/tail +14 +# {{ ansible_managed }} +> NGINX a été déployé sur cette machine. Voir /etc/nginx/. diff --git a/roles/nginx/templates/www/html/401.html.j2 b/roles/nginx/templates/www/html/401.html.j2 new file mode 100644 index 0000000..93fc38a --- /dev/null +++ b/roles/nginx/templates/www/html/401.html.j2 @@ -0,0 +1,18 @@ +{{ ansible_header | comment('xml') }} + + + + Accès refusé + + + +

Accès refusé

+

+ Pour éviter le scan des adresses de diffusions par un robot, cette page demande un identifiant et mot de passe. +

+
    +
  • Identifiant : Stop
    • +
  • Mot de passe : Spam
    • +
+ + diff --git a/roles/nginx/templates/www/html/50x.html.j2 b/roles/nginx/templates/www/html/50x.html.j2 new file mode 100644 index 0000000..078e2de --- /dev/null +++ b/roles/nginx/templates/www/html/50x.html.j2 @@ -0,0 +1,63 @@ + + + + + 502 + + + + +

502

+

Whoops, le service prend trop de temps à répondre…

+

Essayez de rafraîchir la page. Si le problème persiste, pensez + à contacter {{ nginx.who }}.

+ + + diff --git a/roles/nginx/templates/www/html/robots.txt.j2 b/roles/nginx/templates/www/html/robots.txt.j2 new file mode 100644 index 0000000..3fbaed7 --- /dev/null +++ b/roles/nginx/templates/www/html/robots.txt.j2 @@ -0,0 +1,4 @@ +{{ ansible_header | comment }} + +User-agent: * +Disallow: / From a808e3c7938c6a729ac78eef775ead423f09bdf1 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Mon, 1 Feb 2021 17:08:06 +0100 Subject: [PATCH 047/126] Update captive portal nginx configuration Signed-off-by: Yohann D'ANELLO --- host_vars/portail.adm.auro.re.yml | 139 ++++++++++++++++++++++-------- hosts | 5 ++ services_web.yml | 10 ++- 3 files changed, 115 insertions(+), 39 deletions(-) diff --git a/host_vars/portail.adm.auro.re.yml b/host_vars/portail.adm.auro.re.yml index 8af0987..cb3c466 100644 --- a/host_vars/portail.adm.auro.re.yml +++ b/host_vars/portail.adm.auro.re.yml @@ -1,53 +1,116 @@ --- -certbot: +loc_certbot: domains: - - portail.auro.re + - portail-fleming.auro.re + - portail-pacaterie.auro.re + - portail-rives.auro.re + - portail-edc.auro.re + - portail-gs.auro.re mail: tech.aurore@lists.crans.org certname: auro.re -nginx: - ssl: - cert: /etc/letsencrypt/live/auro.re/fullchain.pem - cert_key: /etc/letsencrypt/live/auro.re/privkey.pem - trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem +loc_nginx: + service_name: captive_portal + default_server: '$server_addr' + default_ssl_server: '$server_addr' - redirect_dnames: {} + servers: + - ssl: false + server_name: + - "10.13.0.247" + locations: + - filter: "/" + params: + - "return 302 https://portail-fleming.auro.re/portail/" - redirect_tcp: {} + - ssl: true + server_name: + - portail-fleming.auro.re + locations: + - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" + params: + - "proxy_pass http://10.128.0.80" + - "include /etc/nginx/snippets/options-proxypass.conf" + - filter: "/" + params: + - "return 302 https://portail-fleming.auro.re/portail/" - redirect_sites: - - from: 10.13.0.247 - to: portail-fleming.auro.re - norequesturi: true + - ssl: false + server_name: + - 10.23.0.247 + locations: + - filter: "/" + params: + - "return 302 https://portail-pacaterie.auro.re/portail/" - - from: 10.23.0.247 - to: portail-.auro.re - norequesturi: true + - ssl: true + server_name: + - portail-pacaterie.auro.re + locations: + - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" + params: + - "proxy_pass http://10.128.0.80" + - "include /etc/nginx/snippets/options-proxypass.conf" + - filter: "/" + params: + - "return 302 https://portail-pacaterie.auro.re/portail/" - - from: 10.33.0.247 - to: portail-rives.auro.re - norequesturi: true + - ssl: false + server_name: + - "10.33.0.247" + locations: + - filter: "/" + params: + - "return 302 https://portail-rives.auro.re/portail/" - - from: 10.43.0.247 - to: portail-edc.auro.re - norequesturi: true + - ssl: true + server_name: + - portail-rives.auro.re + locations: + - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" + params: + - "proxy_pass http://10.128.0.80" + - "include /etc/nginx/snippets/options-proxypass.conf" + - filter: "/" + params: + - "return 302 https://portail-rives.auro.re/portail/" - - from: 10.53.0.247 - to: portail-gs.auro.re - norequesturi: true + - ssl: false + server_name: + - "10.43.0.247" + locations: + - filter: "/" + params: + - "return 302 https://portail-edc.auro.re/portail/" - reverseproxy_sites: - - from: portail-fleming.auro.re - to: 10.128.0.20 + - ssl: true + server_name: + - portail-edc.auro.re + locations: + - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" + params: + - "proxy_pass http://10.128.0.80" + - "include /etc/nginx/snippets/options-proxypass.conf" + - filter: "/" + params: + - "return 302 https://portail-edc.auro.re/portail/" - - from: portail-pacaterie.auro.re - to: 10.128.0.20 + - ssl: false + server_name: + - "10.53.0.247" + locations: + - filter: "/" + params: + - "return 302 https://portail-gs.auro.re/portail/" - - from: portail-rives.auro.re - to: 10.128.0.20 - - - from: portail-edc.auro.re - to: 10.128.0.20 - - - from: portail-gs.auro.re - to: 10.128.0.20 + - ssl: true + server_name: + - portail-gs.auro.re + locations: + - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" + params: + - "proxy_pass http://10.128.0.80" + - "include /etc/nginx/snippets/options-proxypass.conf" + - filter: "/" + params: + - "return 302 https://portail-gs.auro.re/portail/" diff --git a/hosts b/hosts index 3f03ed2..55cf3fc 100644 --- a/hosts +++ b/hosts @@ -489,3 +489,8 @@ ldap-replica-ovh.adm.auro.re [ldap_replica_rives] ldap-replica-rives.adm.auro.re +[certbot] +portail.adm.auro.re + +[nginx] +portail.adm.auro.re diff --git a/services_web.yml b/services_web.yml index 73b900b..62b7044 100755 --- a/services_web.yml +++ b/services_web.yml @@ -11,7 +11,15 @@ - passbolt # Deploy reverse proxy -- hosts: portail.adm.auro.re,proxy*.adm.auro.re +- hosts: proxy*.adm.auro.re roles: - certbot - nginx_reverseproxy + +- hosts: portail.adm.auro.re + vars: + certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}' + nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}' + roles: + - certbot + - nginx From bbac76023c85307a089cf56be72c9b274edcf5c2 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Mon, 1 Feb 2021 17:08:24 +0100 Subject: [PATCH 048/126] Update masquerade configuration for the captive portal Signed-off-by: Yohann D'ANELLO --- roles/router/templates/firewall_config.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/router/templates/firewall_config.py b/roles/router/templates/firewall_config.py index 6909b85..5ccd388 100644 --- a/roles/router/templates/firewall_config.py +++ b/roles/router/templates/firewall_config.py @@ -71,6 +71,10 @@ nat = [ '10.{{ subnet_ids.users_accueil }}.2.0/24': '45.66.108.25{{ apartment_block_id }}' }, 'extra_nat_group': 'accueil_ens23_allowed', + 'masquerade': [ + '10.{{ subnet_ids.users_accueil }}.1.0/24', + '10.{{ subnet_ids.users_accueil }}.2.0/24', + ] }, ] From a82edc3e24a3a0f24d5fd0ea95e253e2efaa8f07 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Mon, 1 Feb 2021 18:30:37 +0100 Subject: [PATCH 049/126] Firewall configuration without MASQUERADE Signed-off-by: Yohann D'ANELLO --- roles/router/templates/firewall_config.py | 25 +++++++++++-------- .../templates/firewall_config_aurore.py | 12 ++++++--- 2 files changed, 24 insertions(+), 13 deletions(-) diff --git a/roles/router/templates/firewall_config.py b/roles/router/templates/firewall_config.py index 5ccd388..9971765 100644 --- a/roles/router/templates/firewall_config.py +++ b/roles/router/templates/firewall_config.py @@ -57,24 +57,29 @@ nat = [ }, 'ip_sources' : '10.{{ subnet_ids.users_wired }}.0.0/16', 'extra_nat' : { - '10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{ + 'ens19': { + '10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{ apartment_block_id }}', - '10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}' + '10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}', + }, } }, { 'name': 'Accueil', 'ip_sources': '10.{{ subnet_ids.users_accueil }}.0.0/16', 'extra_nat': { - '10.{{ subnet_ids.users_accueil }}.1.0/24': '45.66.108.25{{ - apartment_block_id }}', - '10.{{ subnet_ids.users_accueil }}.2.0/24': '45.66.108.25{{ apartment_block_id }}' + 'ens19': { + '10.{{ subnet_ids.users_accueil }}.1.0/24': '45.66.108.25{{ apartment_block_id }}', + '10.{{ subnet_ids.users_accueil }}.2.0/24': '45.66.108.25{{ apartment_block_id }}', + }, + 'ens23' : { + '10.{{ subnet_ids.users_accueil }}.1.0/24': '10.{{ subnet_ids.users_accueil }}.0.240', + '10.{{ subnet_ids.users_accueil }}.2.0/24': '10.{{ subnet_ids.users_accueil }}.0.240', + }, + }, + 'extra_nat_group': { + 'ens19': 'accueil_ens23_allowed', }, - 'extra_nat_group': 'accueil_ens23_allowed', - 'masquerade': [ - '10.{{ subnet_ids.users_accueil }}.1.0/24', - '10.{{ subnet_ids.users_accueil }}.2.0/24', - ] }, ] diff --git a/roles/router/templates/firewall_config_aurore.py b/roles/router/templates/firewall_config_aurore.py index c41fd92..af757a0 100644 --- a/roles/router/templates/firewall_config_aurore.py +++ b/roles/router/templates/firewall_config_aurore.py @@ -41,9 +41,15 @@ nat = [ { 'name' : 'AdminVlans', 'extra_nat' : { - '10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}', - '10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}', - '10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}' + 'ens18': { + '10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}', + }, + 'ens19': { + '10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}', + }, + 'ens20': { + '10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}', + }, } } ] From 3f626449272bb313cf55d19666cef7d0fc9c01ab Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Mon, 1 Feb 2021 19:02:14 +0100 Subject: [PATCH 050/126] Use production server Signed-off-by: Yohann D'ANELLO --- host_vars/portail.adm.auro.re.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/host_vars/portail.adm.auro.re.yml b/host_vars/portail.adm.auro.re.yml index cb3c466..e9d005d 100644 --- a/host_vars/portail.adm.auro.re.yml +++ b/host_vars/portail.adm.auro.re.yml @@ -29,7 +29,7 @@ loc_nginx: locations: - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" params: - - "proxy_pass http://10.128.0.80" + - "proxy_pass http://10.128.0.20" - "include /etc/nginx/snippets/options-proxypass.conf" - filter: "/" params: @@ -49,7 +49,7 @@ loc_nginx: locations: - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" params: - - "proxy_pass http://10.128.0.80" + - "proxy_pass http://10.128.0.20" - "include /etc/nginx/snippets/options-proxypass.conf" - filter: "/" params: @@ -69,7 +69,7 @@ loc_nginx: locations: - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" params: - - "proxy_pass http://10.128.0.80" + - "proxy_pass http://10.128.0.20" - "include /etc/nginx/snippets/options-proxypass.conf" - filter: "/" params: @@ -89,7 +89,7 @@ loc_nginx: locations: - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" params: - - "proxy_pass http://10.128.0.80" + - "proxy_pass http://10.128.0.20" - "include /etc/nginx/snippets/options-proxypass.conf" - filter: "/" params: @@ -109,7 +109,7 @@ loc_nginx: locations: - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" params: - - "proxy_pass http://10.128.0.80" + - "proxy_pass http://10.128.0.20" - "include /etc/nginx/snippets/options-proxypass.conf" - filter: "/" params: From c527ce16b09ed4246fcc66ed776ddf24785cc61c Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Mon, 1 Feb 2021 19:03:08 +0100 Subject: [PATCH 051/126] Use good output interface for the main router Signed-off-by: Yohann D'ANELLO --- roles/router/templates/firewall_config_aurore.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/router/templates/firewall_config_aurore.py b/roles/router/templates/firewall_config_aurore.py index af757a0..9565e3b 100644 --- a/roles/router/templates/firewall_config_aurore.py +++ b/roles/router/templates/firewall_config_aurore.py @@ -43,11 +43,7 @@ nat = [ 'extra_nat' : { 'ens18': { '10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}', - }, - 'ens19': { '10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}', - }, - 'ens20': { '10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}', }, } From ce00d5e50fc9a4034ac2b00300d7bba7a266f93a Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Mon, 1 Feb 2021 19:57:33 +0100 Subject: [PATCH 052/126] Authorize comnpay urls in the captive portal Signed-off-by: Yohann D'ANELLO --- host_vars/portail.adm.auro.re.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/host_vars/portail.adm.auro.re.yml b/host_vars/portail.adm.auro.re.yml index e9d005d..e13a06d 100644 --- a/host_vars/portail.adm.auro.re.yml +++ b/host_vars/portail.adm.auro.re.yml @@ -27,7 +27,7 @@ loc_nginx: server_name: - portail-fleming.auro.re locations: - - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" + - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)" params: - "proxy_pass http://10.128.0.20" - "include /etc/nginx/snippets/options-proxypass.conf" @@ -47,7 +47,7 @@ loc_nginx: server_name: - portail-pacaterie.auro.re locations: - - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" + - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)" params: - "proxy_pass http://10.128.0.20" - "include /etc/nginx/snippets/options-proxypass.conf" @@ -67,7 +67,7 @@ loc_nginx: server_name: - portail-rives.auro.re locations: - - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" + - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)" params: - "proxy_pass http://10.128.0.20" - "include /etc/nginx/snippets/options-proxypass.conf" @@ -87,7 +87,7 @@ loc_nginx: server_name: - portail-edc.auro.re locations: - - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" + - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)" params: - "proxy_pass http://10.128.0.20" - "include /etc/nginx/snippets/options-proxypass.conf" @@ -107,7 +107,7 @@ loc_nginx: server_name: - portail-gs.auro.re locations: - - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" + - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)" params: - "proxy_pass http://10.128.0.20" - "include /etc/nginx/snippets/options-proxypass.conf" From 0e224df41f3a8156f11fd9cca838d39889d88d2a Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Mon, 1 Feb 2021 20:28:27 +0100 Subject: [PATCH 053/126] Install ipset on each router Signed-off-by: Yohann D'ANELLO --- roles/router/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/router/tasks/main.yml b/roles/router/tasks/main.yml index a0b8805..cfbf28e 100644 --- a/roles/router/tasks/main.yml +++ b/roles/router/tasks/main.yml @@ -30,6 +30,14 @@ mode: 0644 when: "'routeur-aurore' in ansible_hostname" +- name: Install ipset + apt: + name: ipset + update_cache: true + register: apt_result + retries: 3 + until: apt_result is succeeded + - name: Install aurore-firewall (re2o-service) import_role: name: re2o-service From 4ecb6ed7be8d2702468bd123514c657a5ba6aed8 Mon Sep 17 00:00:00 2001 From: ynerant Date: Fri, 5 Feb 2021 21:18:26 +0100 Subject: [PATCH 054/126] Update re2o-service password Signed-off-by: ynerant --- group_vars/all/vault.yml | 345 +++++++++++++++++++-------------------- 1 file changed, 172 insertions(+), 173 deletions(-) diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index b813ba3..8698d49 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,174 +1,173 @@ $ANSIBLE_VAULT;1.1;AES256 -34336231623938346631313932323131336439623837626366646338396137633436646365386639 -6332383765386235396331373836366230663563376665380a616436373136633933376435653230 -64333963663436393265666434653164643164616134353665306462326666623530383838343135 -3531343533656332350a343432336636316131386132306238653736633966363235623833343638 -38643061383963396466346536343061653034333037393664356661376565643765306462626231 -39326233363962373839303464333833306532343834306232653731326135653934643836323639 -36343937626536346331613263663865346634666534646266623061303639626636393230616261 -32336366356439353738633234326138656464656630303362623664616634306230623538373965 -32346439306337623737616666353830626630373562366436653131393532313035303836326430 -64613235646366616533313065396663366434363832333535336631323366336437396664303834 -30336466313064636565326564356435306136396363373464326534303366323262303732626661 -38326663313332633530353739346538343434316133343066313530366637376135323564306537 -65626261303231656432333364333965663065346436626631666466643934623064333163626339 -32633565303734303862326365336339346133393431636266303530626564326361653230626536 -32313231373037633134623761663832393666353732613965613436323939343233613433343538 -37326438383130303861316663396333376662386337353964633930353536653437653061356635 -35646232343535313130646237643835376162623639333961323964353830653366626438346237 -36343663346332656537363434396633336161373730663364306239306432343930643230656465 -37633537616232656661313764626232303535383563353861396431643735326162383866626231 -61383165613332666537656137636430323332326335323763303537386662646263353539613964 -37323966306364306436653033393931663239383435613836356164633135306233356364313036 -39356661613434633930633066646437636535313565356366303732613731333062643231313035 -65333461396131663764626665393562623030343561313136363964393664376136303839333664 -65313465623331333538393734373264313562643232666130303930333662616465656432363039 -66616530336666343861336434633063343561323931323931346132376263376565313366306639 -64646465303432333136353661323936633965666364356633653861363139616562653834313861 -63306133613066373462383236613939316130623937643939323134343936356638376335323836 -39383334656236633037633230313138326238303863623231353465346661663162623138353461 -33343738613137366364633730346261366564646161373837613865393233663431636361663962 -38313230363737306265636435353533666262333666383639343364633464396566333433333538 -39643934646537653234336361613664333434623739353831316531313666396638333136343638 -33653034366362363562633462303165626333306664326366353334363964663936616430643662 -30616334326638323133366632663237356238353934323361376237613632396134663536336364 -39363439326335363437373939353564646663616464663763353931323233316135656634343137 -34396130386134386331643534353461663963323435656337653032376565313635623231343135 -34303130316239303065386134663332393938636332363665643832326439653733633231346537 -63383634333034323434376237663932613638363835393837613632663265616363303233653539 -61333765313463616665613136303533343230303735626437343635303934613365326166333966 -66613538393466666630363333643730653239393435616634303430396635383631613439623433 -36646431393865666162373232343335356366366633633264326639643434396234313863333163 -63396534623931633833656565396635333133376165613031663831633564663061656131303564 -61303132666264636139313738643161313134643733633366376538366135663135333333333564 -64366262353837363061653663616265393264373230346330636465336439623063636639356136 -65383638643961326661396336373163643832366561363764626461623662333436373136616437 -30316537653432356133616338353165633462643634323563306366343965326635363863316232 -61633135643861333635383464383937306236626632366235363433313335663431366531356337 -37303465323638383930336138356665343966336137356137656564303733373565366162343330 -38326366653733376138356339313564616165626235356363343430353239616339656239323964 -31643734653263653461333135386261646265323134633334376262323330396634643764323635 -30336262323035613338333166353364333836623865393132613338393237363734616330366463 -64646163303337323531636532383438356237306337656439663565643032633462316366663164 -33613039326337353531303831313136653539353261373930613030383134653261363833653439 -31343662623035393238646263633066653362323434306137633339393330376462356139333362 -35363436356530363134663064653031376561343732346262383333353733363136396262643135 -31326566303535343833326562376464643632363434323839366366626134303830323563633237 -37313964353033316163303738636632346137353437333463303135323631383132623133663130 -32373163393861366137303138363134653534613236636439623731393837306130626638343134 -39313532386338343662333134353761653162663665396664366239633536613132313735373334 -37613161383633653861376433633632333163653439633938386137313632396137616337373465 -65383238396439666537313833663364333731613434333739393161363437306665363834653761 -34303464386633633163353636643964393233383232623765373239376633393139326630653765 -62646439646534376234323661383063656463313437323231333165626163626262626562376338 -62646362346261313738323830613037663035666361386139666432613230346334323063326239 -65303065343061613736343663363630336333623439383032313137616131623933323636306331 -34636130626338303039356137353532346562363531623936316162336663306437386532363236 -36333661316161613237343032623764396435346632363963643438316430666539393566353939 -33333234313839636537366465356364303438313830663261373563346538626432313139303030 -33333066626463663663643833323764643737386162663766356665643064313263376434353038 -37643630643737663566653562353261333734636262626437393239383063613661643166626630 -31313564346239396561326162333534376264616435313762623032636432363832383630343964 -30343663643935633465393465626131633931623930653962303830333065363435383237653566 -65646632376330306437663334313932653230653562356338663366616463303466366263366137 -64633934626339633235386630396561376130373763313137386531356637633863393035306634 -65353432323235363135633832373032623837376333346131303162303464616234313062316563 -64646634633963663032613533636665333335656539323238623362306363313835626632306236 -30663637356463363530316434316639326639633539333335633330333834643035353932313638 -64356565653065666131373538356462306633343161376537323762313666373235353236313963 -65613561633266306632616538616461626532666435663038646138386430376164663766363138 -35316262393065653739323035666531333330326235386133383834383865356635666537333533 -31376138353231313262646334386566376264323066373934666363313431643738383064666437 -36656437313039656666373530346534393735353163646635663839326366643333393665626464 -36616637303631653661373433653865323634363065303433386534363064356564636465366265 -31333064383233636538393032376234663663353162343530376631356533653231303730396465 -33366162376464633633313664303939306330613865663431653037303061633130626635653638 -66626264363333376463386666313663333964333137333231303361616533393236373861656534 -32326335306566623332396638383133353434363565316432353963353062313662326361336537 -34396632656234333263663831326566353434316234613365316132363730643665373761666562 -31393565653663653731633333633730326265376135666162656132623238333765333363653130 -61353632313532616266363139336162336565356365316531336364623930636430353831623233 -61616131313438306633333066613764313161333934316139633738623164623564646365663566 -66356464376133363137313036623930373362306166623838373131313330393837396261656561 -66396233313530643164353264656563383632363139333262626532376562613630643437666266 -66656335656634613138316138643666623430363833663035616138336461303035633731636262 -36393939333765346239666433323032323361343934656463396365333366623337316663396263 -36616431626633663963636135643833666234613830366434636532373031343263316436306162 -39356365376561643665323866656465313434623138326238353662653735613565623264333336 -61393763363862613766653064636130323732663466366133666361636339356464313037353462 -63633936653235656538383433393065393162643034393538666433616131343462346235393164 -39353663373338626665663563663162633430343330373430376336326432346233663365376533 -32656465343538643137326366653232343530363834383831386634366262303333636261353863 -32633437343432653936643766363338636535613532323362656435613363393238626466303861 -38633861333638613466306338613932353964393365356637306261626535323732316362623731 -33313963623439613939333639346461663338373334396165636231666266613065323731373964 -64313133383435333935376531313432663766633133633863356563663535333263636237386136 -61653963633166383135333436646465383536373039383538326366636634313061613730653962 -37623962643866396637336231363038373465393637356463656566666661313130313863383233 -37343636346535363832626365396262303862393535336565393635663637323730373564336634 -37363036323733306535336366373630356531353737303165376530656433626634343365626239 -64346136363030663862313431653761666432393933366665346361626361623039326434633835 -32666538653037613361343536383634643762356234366433663639653461303933306434333864 -37386436393465323139306161333738383265323436376536656264356230303163326134323864 -63396331666431666464656161633466333764653631623131646566303366333030653834333335 -31323365353239366232643863386365633861376235643034303563613363663661616564363663 -63326562613365653539383336383339646164623864323830653434623365393432666466323134 -33626330373361393734656632393232363866613863373135636537613934343065306265623964 -34643765636165393336356630353663343065333431656164363638646233663762346536343362 -65653364343537383336373933313464663464653465383830363631316336303464313731356230 -34336130323766386465373162346535396565346630353734303937396130656132376331326563 -36386339383338346533646331666262396432336434646333653664326635386238333763626637 -31363464306465666339316436323265623437636533643431363161323139653065323534636533 -64386334353439373133313937343234373963353331646233346432646430636530663336316134 -66303337313034396232643531643262343036313762633165353665653938313665386363353865 -66333166303636626565613136653365313763303263313239333033353638616566656134396131 -38356434343931303134303362313363343634613361353538636634336332373132356165326163 -30386130326239366532363962316435663862393836326439623862366166376234343439306465 -36346639623939353232366333643963646336383833386565643435393734653936313638663930 -32323065343737663564333961373034393261613862333431663562353964666561643831316432 -35313832356639333937333266306166656538643065386639346337306134613536356137316331 -38376434666332366531393639303561663934353130333161636530383932653236313530616531 -61656664626663373164343863333039356362343034326131376666623264663732303734366363 -30306430353732616131346637626332656434393163313661356465393263393235396662623962 -62643538623331646265643561623366383937313136383939366164613235666234663137653432 -34316138643139336331356663333632656539653632626136613431393736613630353237356164 -33623632643335663163656236633134343464353837346237316162346634633336663564656531 -39373730346130363963376463326238366235613539613466653139306237343164336462353236 -39323361636333353661633863663162633563343937366461346338363061623730633537626562 -30353938383664333861366431343033313961376436363065373430353736343563313531386663 -37313534303564333237616331396437376436383833373936376664666366373235613533663239 -64653863613531356666646233393533646131333961343730663461346235633961306263343831 -64386332653330323937643266373437633465363933653833343930616134626566363339366362 -36356163333730656233653431326430326566386264343330666131393166323537623137396237 -65386234653231666631366533383762643830333261363532666138386263643662633932626335 -66303363613035643931393933303035323566373634663037313338616132373162366334373962 -33666463613435396331326565353433336361303562326562663035313639333232333430373266 -65383235356132353838636565636436356361653831356430663935613766613237366564316566 -37396130393363386566306162346466326165353863636633306335383265306139396339383866 -34326335323962633032386162623033353036643437313832323166363764653339343638343964 -66626662326234306362656162336538353131366337643761643930306163333661653062663832 -61303963623433313565633235306132366663336662616232613339366363373934613631623431 -34323736383366333032343364373533363761323338346163323836653235653136646162306166 -65333734623663346233343961396566313838653036396430396134393839326535363237363638 -38333232333863396334366561303136333863356666656335633630616531363766343535616533 -35656166303837653365303436623431613931336331356531666665346562613263363666626238 -62626236323863383366643162356462306163653032626130333863656337623136646439316337 -33306432663134383038646133346131333732633932383239643733643138303434646565663266 -34616265383733343963323538656138656331396438616133393063356638633965323363653066 -65353837333363613762333839313631373137363064383830353565333832356162323862393030 -35373038613133643466636537626437393837633865363566343565626633376262373766613738 -39343334336238363131373762646564653839623531323066356430326263376534373664363331 -64373735383933303638303661333964333464306338613363326261623438336530636262373766 -35346339643939666162386232666236326131366366303432393838326239313730323431376231 -39363032616666393431326533643865643937363937356431623763363037373333653266376561 -63323462363063343234373534663063353865363037383932386231313338343239653131633561 -34623439396232633265616438623562666333303932396366663330326565363736633461333463 -66346537323061306662323062393061353565393165363532306439343262343632616465363364 -30376331346430313536313963333136663833323064633631653935326366633862336163316538 -33383434336666303434363236396662366664393637656462363331356631613332353766636663 -62323264336235306532343065323834313730353237616463373766303439663533336366363565 -35646461636263646633343634323735383235376330616334373937646165623639363663353361 -65613034353736633332663333616564356265323731613537393430633137333337643663323137 -31623732663331653935316337306433333633353565343265666333363864346562363961333439 -30656136636661396335623566386362333861616663393738626632633537613564636261383138 -3233 +37356434643231623932626166316532633039323736303737363933373263623433653031356331 +3431376135666263353431396663363539333164643462340a383832373965653835633937373432 +31393936666535633137333739346135316463636166343063666363633966626639663265373935 +3865353439646331640a326137373039666263366330626537363566613135346263663761663732 +65363064356530373430633562623132373565326364656631313639376131313563316136623966 +35386236313238396436303765366365346335353166376164353936313536393665326439653861 +35623832623365386232353163656339333031323937383862656532636436386334643362653532 +66636365316161316536636131613438356464636163386233333333313531353935346264366231 +36346561303163663735386533333835313231333965633737376537396531323935383134643563 +32643566323564363762306438376431383237313633376437333339623936376664346137333561 +65656336303964623964616230306332636535343833336535303832666137663865336564623233 +33653361646533613462373163363736386634663038666232313432653037643330653639666663 +61643533363938366634616632626131663164393338623539636430363166323935396439373337 +34343930336631326634366331353836323465613934383231313364383061636631346633383634 +36646439336530353761613831343236373936666632333965323964643862616633303732333230 +36313132323965323831336265306565346461343235383864613762343536653434333163616663 +34303731666632666630313763323239633435386330363339363631646432633762383464303837 +39336630343833646666383237376238316264393262336136393662363261643961666332623138 +65633661343265643731396663376262613566613135663161393833373766396632303734336261 +30326436363237653431396563326264646335643536616530343863623130643666653733323331 +30616363306636396439376661633035326430313363656433636465623737636565333436653031 +33326662336239633930303665373965393037303238393630343338383362363439386634613838 +61356533383032656663613966383131623333613639633062343639393865376433316464653738 +64346465633263383662313934343732363536343662653532393837383062333565636662626634 +30393364336566343264373538386230623136316632666237646431333233376562356439626536 +61613835346636346139316665623463363339623863373961386661656361363232396533636233 +61326236643162623331633066333138326533323835366534336361396263353432373532326437 +30666234666235343739343834316234346630373661666634616461383639363664656534663636 +33376237313333393632313839373436616631336130393930373136623335666235386162376464 +31646437393336313433643534363138636461373837336634646464356437306265353731663362 +64316530326536333235386531613931303238363062383639626238346337356539323938663464 +62613432376563616238303938663933363564613532333633346132373361346231643130653833 +62313631313563343437373032626339366538313764333666353633363637333965633533373633 +33353134373730636638633432313932363264623531303135636566653038396131633230343839 +35303337613935666231303638663832663339626463353862616139346664356261656433313930 +65383336393934633036663261636434636461363161646239363135643536633836353965353462 +62636264373332643333356636616230376135363539393139383666363534626131663736393139 +36653862303066633365383435363637316262646338663437313435643334383835393238613763 +33656136646465373938653263376162633032336536613535356431393135396432636637356632 +31306132353632333833643434663930613936646233623935323761353461363139353238396633 +63363731613336643635333961336664343430353133373937396565343366363634653330663336 +62393866643665393232636232373964616335646363613466373666666661346139373938616463 +37613931613033323538323662356432306639626636666338666565343336323363633966316137 +32346538303935616265313461383731356462336435303936663931376133616365626466346435 +63313333643361363665653862663338376630613666356538616336643139666636663461323163 +35613365363032343831653639373866393635633363393961613339313234366232346662646132 +36636362356431366631373635613936653162323736303434353130343834323530393330613633 +66393130323637346561616435623562313037393161666236323834323836326161613963626236 +38343362343335343437656434303130626165646661393638336435343933326462343366323964 +39346433663533346262316461623732363963396161353139613663393264623335623832653436 +62306337653062666137373930303334643630623432303932303039343764633361613063643965 +34646133353132663662303665373836643238323932336663333730363137323532663164633862 +39383963336236646161653136626662313764373530623161663437373330666332316362623031 +66653832653035353662353638336239313336663765373966383030316137316135303134616439 +30386332366639653835663530643931326635373836663166313165633137623738636438663261 +34613135643363343232313061616337333562373764663733666666376233313534396132303536 +63643030623962626432653938336633313561303236363762353536613464353331373436666238 +65623961383736633934326165336637323630613032326163303436646530363063316334366665 +35303237613130326339306436343262313733663031333539343163323530653035356431386236 +63373564383233653165623034616262393966343262646461303562363763613261656235623533 +39643963646266623663343537663364633036373838313139313966663031376162666661363161 +36626332313535616638623837666565343734643037343761346238366665646461343532643434 +31356339613066646338306262323336373161326531326137353937343139386562383063666433 +61343861396465316663373963333237633736313735653138646366323334653963323831383864 +61636565333739663633623334336463643362343335663237393161383963373364303864393361 +61333935353634336637343961363237346565313633313366376336366139613563333336316565 +31653066323537646163666539356663633438386437386432313239356466356635303837326434 +66373934303932323732616563353566663766626335356662383732363266346636666231333864 +33663634313364353162666462383735653162383438393939306530393064626666366431633432 +63363139663632336333333562656339366133646630343533386535393234383638346532326132 +65326538373439373839656634613830656138643166616163663430323266366535646463303564 +38383537613964643761623330313563633939616432643134333266653038306136613962303162 +65393932353131323739333463363764346638633664383539616562353831653033633135656131 +35663136613835383538303134646631386331393032653539336632373439326238376233346238 +66623164643361646262373766353066633562343739393637653664623339333035323231663633 +66373134346231313239616534613065656563653662376434366161303163346533643866376266 +39383631396631633932653163343237313166633134346161653463393930613765373239303061 +33373466376563373739646130613566666132636666343266306135376636333730613034356430 +66373764376234363438613439643931323365636663376236666162643731646366623430373334 +32653962343839316534383034353535303839336361366666343961383930383237373164333065 +39643965386336393666633666376434303463633035373064383266646434343163396636343237 +66366561383237666566643035633635373966306464313765316665363532623638343030633733 +34663061663565303730613339623465653934363337396164383164363134373034356339643665 +38333662313862393631336533383631306130353963313337663031363061323762613966346333 +31356462336431336239353061653165376138326561346266353235636262613932633135303430 +64326536643334313262383132616434633131356537393263613761316535356631336461393930 +64386564306533656436653161383230313238396336656162656464663637336230663466323530 +34353730623033623866393266346134666230623139636132653739313738633037303563396162 +35366564376561306530353361616337386361326436366532656662376336373662636135663532 +38616631343733646564616264636239623136313037386561646632663463383430343632643935 +38663135346664626133373732306461383935366637303235316337376432626464396135343433 +31623230653464656538333263353061343761656638386537313163386132326635666531373334 +61313364646262346637623165643263313336626561376166326333333636303631353231373365 +31656664646330663063383135626534306338303161313438313162313866343035363234333432 +65613937373763623163653464636366316131653337346339626565643639663239313631336164 +39626263303361653864636433653038613938663037373735343637383733386230353663653865 +33663235613338636434303735386432383534663263656634353839663632343738376161393736 +35393062656533376261336130663235333766373832306563366538393763646339333334373063 +63396332303536336435323665316138613830306531356366383666343334323338616165306338 +61626364613062643131656239336466386664316661636664336466303931643236613761323130 +63656638633736383734313439366135613038326133646665303035646137393133636163393261 +66633864636362393630323436646233303664326634613235633438343930346538633466623064 +64643136326363356631343136366333613266336439326335323163306566313537646336383963 +35373936356137396366656237343432656236343339376538363339366334646130333030383464 +66333961643236653235663865353366313862633138376265366136636438633065653535663931 +35393166326337633337313465306565396161393534393563353166343935646362303465333833 +32326661633838333563663565643134616139353831343663313134306639656163653138383530 +63336462363862353935646563393766316665653561643765326161396439393866643565313161 +66343466313465343563316361643732313830633439336534316136303463366633653662643565 +33653533626531393536343033333433393032363862343661313836346561376565316361653032 +36613738663233333766613236613239336663323931653230313761643765666632363362643034 +39646130623161613332636330393936336532653861393935366266396536616465356362396635 +62643438643665326163366239386364633434383838613735396231383762316565373665363531 +32666131653961656566376631303239323262623330383438386164363162303662306535313162 +34343539636463626430386630653934306665333266336234313362343366633366373131383861 +31616535346236666264316535646236633363623533656332353037646231653236613664356362 +65656333303461646131366365323266656661343864633536396238333962393066336537353234 +31353337646131373533346161643432656361366464613437643230366261613662356435303339 +33623665373231656539326533353035383038633731386531633064623339653831306430333265 +35386538323561663433323939393564336539636432633738663337353937633837323062616266 +36363766373661356261643966623937633334303539343665343266386630363663663037396263 +61346330313665373533326437623838366634303335383433626137383434333166623138383931 +31643333366662333930393039333232613363313065633734303339323265323861633831646663 +33663934353664306665346631653561613463643265336431643532333533323764323937653934 +32356630383633666538386461653334343363656539383838613239626336366634383266323462 +38393534656635313739653461343835336134333166653463316464393063613831653837346663 +39626133643239353530303263663635326561306665363034393565326463343061313563366431 +39303333396166346138376530646532376333646636613664326536663133623532663462316439 +61343239623166616466316465653532646137336135656164386532623266386633326164336566 +65623436343531623133353366623763333137303132396435653632623534623061393036656161 +36373564306564363432373633326535383038623933343834386634653839353933343965366137 +34343334626661656265393461393339346139633136373936653630383732393461386463313263 +63366263333637363339323534636234386237393663316435323130663438343930336333643838 +34353264373261306439393732343530393765346161653562383939623234356562626664373263 +33343234366639663666346564383866623231356164396435363035373063643566326665373864 +32616131383530663033633866613236366264636564343462326265373762396364323232393131 +39636432356334353439333938643331366263353237633234643233373364393133366537653738 +63383531643334656537316663393235646331613365393330633064663939353633383035643866 +61376632636430646135363761393131626664326235316639646332366564396561633037363866 +65353563643632323364313134613339356563333431353931653738323162316666346466663266 +62653433666136613734623361363066336230326562663730643230616463613936633738643135 +66373935653939613537306265623532616133353365303433303562353831663534343165316362 +39613937326561383264323361666439613865316138386266393261616135346433323466333234 +33356138623132383063356633613066356161616662623961313562636636386463346266366137 +63396535353236623765626634663132633261643036333762323836636138643737373031653266 +37333836383937386238326162626166656134313165336437323834326635623036616130313539 +34356337666536666230333231326463343938396366353238313639656531663363636164626438 +30656439626361386633343236373733656334353061316239303764363236353639626637376534 +36313630613336633533613437663563656436356130336333346432616638343463316636326236 +30323737623330393565616532363835373766626432356137376561336261353864333266313033 +31663665626439336362363836613032393934613438333663373565393662663066353337343233 +31356261396664653865326532326136356134626631333530306633666538376630396163643761 +65636630346134353431646137613766326365613463373130666665663166356639333532326238 +32303238346632303831316631303733346433366665643234646439363737363462336539343534 +62623363353135303732613939613430363338313539616336656433356664343365663835626366 +62663232386638323265643133343433303133616437666139616337363036316135356333366533 +35666466303365623835663266373765393031643637333663663030366465333764653466373366 +38303863373864656431666434353064343166613132656266393939393163326631363931616637 +66396161633133646164646339396634623766643065306666373464323562363963333431636638 +66616166643762656433646661643931663639353237623461616561363164333634613338636336 +30626234333237366563663163366633666165343933316636646630653031393139393534376334 +64346166623061303930313432316665646266613834633139306662343537653736393134623032 +62643537393239643265663433653737386464353130303130323538626164306637323665623736 +39626238333038366263336630373139343064303833646634313331653033396364646462356639 +62333331336561373839636631363934653363386365363132646464653363313866616435633138 +34623638666534663131616631306566303365623339386137623666633833393134393735623264 +35323330366134613635656438323566346263306231343536306539633366653062316638396532 +62306133386530386436633661356331323261353738623865333531363036633535643537393362 +62396565636566343932373361373163356639313236306161366237356264336330366130333530 +63613363313930386438343330376463626438343439313866653039363036316566613932313230 +63323330373866613032343235623334336635343062623461366263623033353335623137356439 +39393834343230363362 From 4b3e4919832f92efaecb48ae4120b37e882360c5 Mon Sep 17 00:00:00 2001 From: otthorn Date: Thu, 14 Jan 2021 12:14:57 +0100 Subject: [PATCH 055/126] Add mail vars --- group_vars/all/vars.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 599e834..6b3c1e5 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -89,3 +89,9 @@ apartment_block_dhcp: "{{ apartment_block }}" ipv6_base_prefix: "2a09:6840" is_aurore_host: "{{ 'aurore_vm' in group_names }}" + +# Mail + +myorigin: "auro.re" +# myhostname should be the FQDN (Fully Qualified Domain Name) +myhostname: "mail.adm.auro.re" From f01533409f0dba85b80d0371764f01f568a40065 Mon Sep 17 00:00:00 2001 From: otthorn Date: Thu, 14 Jan 2021 12:15:48 +0100 Subject: [PATCH 056/126] Add (initial) postfix role --- roles/postfix/handlers/main.yml | 6 +++++ roles/postfix/tasks/main.yml | 15 ++++++++++++ roles/postfix/templates/main.cf.j2 | 37 ++++++++++++++++++++++++++++++ 3 files changed, 58 insertions(+) create mode 100644 roles/postfix/handlers/main.yml create mode 100644 roles/postfix/tasks/main.yml create mode 100644 roles/postfix/templates/main.cf.j2 diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml new file mode 100644 index 0000000..d8755a0 --- /dev/null +++ b/roles/postfix/handlers/main.yml @@ -0,0 +1,6 @@ +--- +# Restart Postfix +- name: Restart postfix service + service: + name: postfix + state: restarted diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml new file mode 100644 index 0000000..4b5c269 --- /dev/null +++ b/roles/postfix/tasks/main.yml @@ -0,0 +1,15 @@ +--- +# Install and configure Postfix + +- name: Install Postfix + apt: + name: postfix + update_cache: true # apt update beforehand + +- name: Configure Postfix + template: + src: main.cf.j2 + dest: /etc/postfix/main.cf + notify: Restart postfix service + + diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2 new file mode 100644 index 0000000..82aacd5 --- /dev/null +++ b/roles/postfix/templates/main.cf.j2 @@ -0,0 +1,37 @@ +# {{ ansible_managed }} +# See /usr/share/postfix/main.cf.dist for a full commented version +# See BASIC_CONFIGURATION_README and STANDARD_CONFIGURATION_README for more insights +# More generally, see the Postfix documentation at http://www.postfix.org + +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +readme_directory = no + +# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on +# fresh installs. +compatibility_level = 2 + +# Send mail as user@{{ myorigin }} +# myorigin = auro.re +myorigin = {{ myorigin }} + +#myhostname = mail.adm.auro.re +myhostname = {{ myhostname }} + +mydestination = $myhostname localhost.{{ myorigin }} localhost {{ myorigin }} + +# Specify the trusted networks +mynetworks = 127.0.0.0/8 {{ local_network }} + +# This host does not relay mail from untrusted networks +relay_domains = + +# Allow plus delimiter +recipient_delimiter = + From 5377378bf7e25d2940982a9d400fcba7e625c8df Mon Sep 17 00:00:00 2001 From: otthorn Date: Thu, 14 Jan 2021 12:16:00 +0100 Subject: [PATCH 057/126] Add (initial) mail-utils role --- roles/mail-utils/tasks/main.yml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 roles/mail-utils/tasks/main.yml diff --git a/roles/mail-utils/tasks/main.yml b/roles/mail-utils/tasks/main.yml new file mode 100644 index 0000000..8f6b269 --- /dev/null +++ b/roles/mail-utils/tasks/main.yml @@ -0,0 +1,9 @@ +--- +# Install small tools that are usefull on a mailserver +- name: Install small utility tools + apt: + name: + - swaks # Swiss Army Knife for SMTP + - mutt # small CLI mail client for debug and on-server mail + - pwgen # generate strong and cryptographically secure passwords + From de83af936d34e3c41de5f910db8d04fd3f46ed00 Mon Sep 17 00:00:00 2001 From: otthorn Date: Thu, 14 Jan 2021 12:16:20 +0100 Subject: [PATCH 058/126] Add (initial) mailserver playbook --- mailserver.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 mailserver.yml diff --git a/mailserver.yml b/mailserver.yml new file mode 100644 index 0000000..132c8ca --- /dev/null +++ b/mailserver.yml @@ -0,0 +1,26 @@ +#! /usr/bin/env ansible-playbook +--- +# Deploy base and security +- hosts: mail.adm.auro.re + roles: + - baseconfig + - basesecurity + +# Deploy LDAP +- hosts: mail.adm.auro.re + roles: + - ldap_client + +# Deploy mail server +- hosts: mail.adm.auro.re + roles: + - mail-utils + - postfix + - dovecot + - rspamd + - mail-certificates + - mail-fail2ban + +# Make OVH server send mails through proxy ? +# Add multiple MX +# Configure DKIM, SPF, Greylisting, etc... From 673d77d1be7874f8ddd3bbce26d7f9c3a1b4c77d Mon Sep 17 00:00:00 2001 From: otthorn Date: Thu, 14 Jan 2021 12:25:23 +0100 Subject: [PATCH 059/126] fix yaml lint --- mailserver.yml | 4 ++-- roles/mail-utils/tasks/main.yml | 7 +++---- roles/postfix/tasks/main.yml | 4 +--- 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/mailserver.yml b/mailserver.yml index 132c8ca..8842e2b 100644 --- a/mailserver.yml +++ b/mailserver.yml @@ -1,4 +1,4 @@ -#! /usr/bin/env ansible-playbook +#!/usr/bin/env ansible-playbook --- # Deploy base and security - hosts: mail.adm.auro.re @@ -9,7 +9,7 @@ # Deploy LDAP - hosts: mail.adm.auro.re roles: - - ldap_client + - ldap_client # Deploy mail server - hosts: mail.adm.auro.re diff --git a/roles/mail-utils/tasks/main.yml b/roles/mail-utils/tasks/main.yml index 8f6b269..ac9d64c 100644 --- a/roles/mail-utils/tasks/main.yml +++ b/roles/mail-utils/tasks/main.yml @@ -3,7 +3,6 @@ - name: Install small utility tools apt: name: - - swaks # Swiss Army Knife for SMTP - - mutt # small CLI mail client for debug and on-server mail - - pwgen # generate strong and cryptographically secure passwords - + - swaks # Swiss Army Knife for SMTP + - mutt # small CLI mail client for debug and on-server mail + - pwgen # generate strong and cryptographically secure passwords diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml index 4b5c269..46820e7 100644 --- a/roles/postfix/tasks/main.yml +++ b/roles/postfix/tasks/main.yml @@ -4,12 +4,10 @@ - name: Install Postfix apt: name: postfix - update_cache: true # apt update beforehand + update_cache: true # apt update beforehand - name: Configure Postfix template: src: main.cf.j2 dest: /etc/postfix/main.cf notify: Restart postfix service - - From 750753f16dbe1a6d79c9fb11399f77b9f7f3691c Mon Sep 17 00:00:00 2001 From: otthorn Date: Thu, 14 Jan 2021 22:47:29 +0100 Subject: [PATCH 060/126] Starting the dovecot task --- roles/dovecot/tasks/main.yml | 51 ++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 roles/dovecot/tasks/main.yml diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml new file mode 100644 index 0000000..afa08f5 --- /dev/null +++ b/roles/dovecot/tasks/main.yml @@ -0,0 +1,51 @@ +--- +# Install and configure Dovecot +- name: Install Dovecot + apt: + name: + - dovecot-core + - dovecot-imapd + - dovecot-managesieved + - dovecot-lmtpd + - dovecot-ldap + - dovecot-pop3d + update_cache: true + +# Create the vmail user with UID and GID 5000 +- name: Create vmail user + user: + name: vmail + uid: 5000 + gid: 5000 + home: /var/vmail + +# Create mail user seive directory with right ownernship and rights +- name: Create mail user sieve directory + file: + path: /var/vmail/sieve/global + state: directory + owner: vmail + group: vmail + mode: 0770 + +# Do the same for mailboxes +- name: Create mail user mailbox directory + file: + path: /var/vmail/mailboxes + state: directory + owner: vmail + group: vmail + mode: 0770 + +# Add the Dovecot configuration files +- name: Add Dovecot configuration + template: + src: "{{ item }}.j2" + dest: "/etc/dovecot/conf.d/{{ item }}" + mode: 0644 + notify: Reload dovecot + loop: + - "10-auth.conf" + - "10-mail.conf" + - "10-master.conf" + - "10-ssl.conf" From 3714396b6ba2f882a2433f578bad85fa5677ef8b Mon Sep 17 00:00:00 2001 From: otthorn Date: Thu, 14 Jan 2021 22:48:13 +0100 Subject: [PATCH 061/126] commented unused tasks for the moment --- mailserver.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) mode change 100644 => 100755 mailserver.yml diff --git a/mailserver.yml b/mailserver.yml old mode 100644 new mode 100755 index 8842e2b..f732d44 --- a/mailserver.yml +++ b/mailserver.yml @@ -17,9 +17,9 @@ - mail-utils - postfix - dovecot - - rspamd - - mail-certificates - - mail-fail2ban +# - rspamd +# - mail-certificates +# - mail-fail2ban # Make OVH server send mails through proxy ? # Add multiple MX From 40df593f1156c8ca6284a82b5566c92212ef80a8 Mon Sep 17 00:00:00 2001 From: otthorn Date: Fri, 15 Jan 2021 19:52:55 +0100 Subject: [PATCH 062/126] Added the certificates gestion --- host_vars/mail.auro.re.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 host_vars/mail.auro.re.yml diff --git a/host_vars/mail.auro.re.yml b/host_vars/mail.auro.re.yml new file mode 100644 index 0000000..7e3e383 --- /dev/null +++ b/host_vars/mail.auro.re.yml @@ -0,0 +1,8 @@ +--- +certbot: + domains: + - mail.auro.re + - webmail.auro.re + - smtp.auro.re + mail: tech.aurore@lists.crans.org + certname: auro.re From 991e3063206c51e7346737224b09eaff14b5ea24 Mon Sep 17 00:00:00 2001 From: otthorn Date: Sun, 17 Jan 2021 12:31:30 +0100 Subject: [PATCH 063/126] Add nfs-client role --- roles/nfs-client/tasks/main.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 roles/nfs-client/tasks/main.yml diff --git a/roles/nfs-client/tasks/main.yml b/roles/nfs-client/tasks/main.yml new file mode 100644 index 0000000..7137d1d --- /dev/null +++ b/roles/nfs-client/tasks/main.yml @@ -0,0 +1,24 @@ +--- +# Install NFS client, mount distant storage and add configuration to fstab to make it persistent +- name: Install NFS client + apt: + name: + - nfs-common # use this on any NFS machine, be either client or server + update_cache: true + +- name: Create mountable dir + file: + path: {{ nfs-mount-path }} + state: directory + mode: 0644 + owner: {{ nfs-dir-owner }} + group: {{ nfs-dir-group }} + +- name: Mount and add to fstab + mount: + state: mounted # actively mounted and configured in fstab + src: {{ nfs-src }} + path: {{ nfs-mount-path }} + fstype: nfs + opts: defaults +# don't specify dump and fsck to keep the 0 (don't) variable From 260526613739ae854f1ce2ea5e6d3012ef8f5fa5 Mon Sep 17 00:00:00 2001 From: otthorn Date: Sun, 17 Jan 2021 12:34:25 +0100 Subject: [PATCH 064/126] fix var names for better hierarchy --- roles/nfs-client/tasks/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/nfs-client/tasks/main.yml b/roles/nfs-client/tasks/main.yml index 7137d1d..7bade02 100644 --- a/roles/nfs-client/tasks/main.yml +++ b/roles/nfs-client/tasks/main.yml @@ -8,17 +8,17 @@ - name: Create mountable dir file: - path: {{ nfs-mount-path }} + path: {{ nfs.mount-path }} state: directory mode: 0644 - owner: {{ nfs-dir-owner }} - group: {{ nfs-dir-group }} + owner: {{ nfs.dir-owner }} + group: {{ nfs.dir-group }} - name: Mount and add to fstab mount: state: mounted # actively mounted and configured in fstab - src: {{ nfs-src }} - path: {{ nfs-mount-path }} + src: {{ nfs.src }} + path: {{ nfs.mount-path }} fstype: nfs opts: defaults # don't specify dump and fsck to keep the 0 (don't) variable From b6355ebb0a9e4685441b55a64bbac21d67a3512b Mon Sep 17 00:00:00 2001 From: otthorn Date: Sun, 17 Jan 2021 12:41:09 +0100 Subject: [PATCH 065/126] Added NFS host_var for mail.auro.re --- host_vars/mail.auro.re.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/host_vars/mail.auro.re.yml b/host_vars/mail.auro.re.yml index 7e3e383..0c5d952 100644 --- a/host_vars/mail.auro.re.yml +++ b/host_vars/mail.auro.re.yml @@ -2,7 +2,12 @@ certbot: domains: - mail.auro.re - - webmail.auro.re - smtp.auro.re mail: tech.aurore@lists.crans.org certname: auro.re + +nfs: + src: "10.128.0.6:/data_mail" # caradoc + mount-path: /var/vmail + dir-owner: vmail + dir-group: vmail From 8cb854813914be79c62b90020eb7eac66a5dcf62 Mon Sep 17 00:00:00 2001 From: otthorn Date: Sun, 17 Jan 2021 12:42:15 +0100 Subject: [PATCH 066/126] mail is no longer in adm --- hosts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts b/hosts index 55cf3fc..4263845 100644 --- a/hosts +++ b/hosts @@ -32,7 +32,7 @@ re2o-db.adm.auro.re services-bdd-local.adm.auro.re backup.adm.auro.re services-web.adm.auro.re -mail.adm.auro.re +mail.auro.re wikijs.adm.auro.re prometheus-aurore.adm.auro.re portail.adm.auro.re From f7ee1403d95c403a89563a8133392ab8972afd25 Mon Sep 17 00:00:00 2001 From: otthorn Date: Sun, 17 Jan 2021 12:47:58 +0100 Subject: [PATCH 067/126] Fix yaml lint --- mailserver.yml | 22 ++++++---------------- roles/dovecot/tasks/main.yml | 2 +- roles/nfs-client/tasks/main.yml | 14 +++++++------- 3 files changed, 14 insertions(+), 24 deletions(-) diff --git a/mailserver.yml b/mailserver.yml index f732d44..56ac56a 100755 --- a/mailserver.yml +++ b/mailserver.yml @@ -1,26 +1,16 @@ #!/usr/bin/env ansible-playbook --- -# Deploy base and security -- hosts: mail.adm.auro.re - roles: - - baseconfig - - basesecurity - -# Deploy LDAP -- hosts: mail.adm.auro.re - roles: - - ldap_client - # Deploy mail server -- hosts: mail.adm.auro.re +- hosts: mail.auro.re roles: - mail-utils - - postfix - - dovecot + - mail-certificates + - nfs-client +# - postfix +# - dovecot # - rspamd -# - mail-certificates # - mail-fail2ban - +# # Make OVH server send mails through proxy ? # Add multiple MX # Configure DKIM, SPF, Greylisting, etc... diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml index afa08f5..8e4ce5f 100644 --- a/roles/dovecot/tasks/main.yml +++ b/roles/dovecot/tasks/main.yml @@ -36,7 +36,7 @@ owner: vmail group: vmail mode: 0770 - + # Add the Dovecot configuration files - name: Add Dovecot configuration template: diff --git a/roles/nfs-client/tasks/main.yml b/roles/nfs-client/tasks/main.yml index 7bade02..ffc792c 100644 --- a/roles/nfs-client/tasks/main.yml +++ b/roles/nfs-client/tasks/main.yml @@ -3,22 +3,22 @@ - name: Install NFS client apt: name: - - nfs-common # use this on any NFS machine, be either client or server + - nfs-common # use this on any NFS machine, be either client or server update_cache: true -- name: Create mountable dir +- name: Create mountable dir file: - path: {{ nfs.mount-path }} + path: "{{ nfs.mount-path }}" state: directory mode: 0644 - owner: {{ nfs.dir-owner }} - group: {{ nfs.dir-group }} + owner: "{{ nfs.dir-owner }}" + group: "{{ nfs.dir-group }}" - name: Mount and add to fstab mount: state: mounted # actively mounted and configured in fstab - src: {{ nfs.src }} - path: {{ nfs.mount-path }} + src: "{{ nfs.src }}" + path: "{{ nfs.mount-path }}" fstype: nfs opts: defaults # don't specify dump and fsck to keep the 0 (don't) variable From ed9557d3428117cc6f24fd01436414d5f16be7c8 Mon Sep 17 00:00:00 2001 From: otthorn Date: Sun, 17 Jan 2021 12:51:52 +0100 Subject: [PATCH 068/126] fix ansible-lint --- mailserver.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mailserver.yml b/mailserver.yml index 56ac56a..8e76fe9 100755 --- a/mailserver.yml +++ b/mailserver.yml @@ -2,7 +2,7 @@ --- # Deploy mail server - hosts: mail.auro.re - roles: + roles: | - mail-utils - mail-certificates - nfs-client From a0a61244819f8533218fc04e4fd86220b026924c Mon Sep 17 00:00:00 2001 From: otthorn Date: Sun, 17 Jan 2021 13:03:09 +0100 Subject: [PATCH 069/126] add sain defaults for NFS client --- roles/nfs-client/defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 roles/nfs-client/defaults/main.yml diff --git a/roles/nfs-client/defaults/main.yml b/roles/nfs-client/defaults/main.yml new file mode 100644 index 0000000..70224f5 --- /dev/null +++ b/roles/nfs-client/defaults/main.yml @@ -0,0 +1,3 @@ +nfs: + owner: root + groupe: root From 9543c2f10dfe79756fe2bceff2bcc8317097260e Mon Sep 17 00:00:00 2001 From: otthorn Date: Sun, 17 Jan 2021 13:27:24 +0100 Subject: [PATCH 070/126] dashes are evil, use underscore in var names --- host_vars/mail.auro.re.yml | 6 +++--- roles/nfs-client/tasks/main.yml | 10 +++++----- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/host_vars/mail.auro.re.yml b/host_vars/mail.auro.re.yml index 0c5d952..cc3ff9f 100644 --- a/host_vars/mail.auro.re.yml +++ b/host_vars/mail.auro.re.yml @@ -8,6 +8,6 @@ certbot: nfs: src: "10.128.0.6:/data_mail" # caradoc - mount-path: /var/vmail - dir-owner: vmail - dir-group: vmail + mount_path: "/var/vmail" + dir_owner: vmail + dir_group: vmail diff --git a/roles/nfs-client/tasks/main.yml b/roles/nfs-client/tasks/main.yml index ffc792c..0841ad3 100644 --- a/roles/nfs-client/tasks/main.yml +++ b/roles/nfs-client/tasks/main.yml @@ -8,17 +8,17 @@ - name: Create mountable dir file: - path: "{{ nfs.mount-path }}" + path: "{{ nfs.mount_path }}" state: directory - mode: 0644 - owner: "{{ nfs.dir-owner }}" - group: "{{ nfs.dir-group }}" + mode: 0755 + owner: "{{ nfs.dir_owner }}" + group: "{{ nfs.dir_group }}" - name: Mount and add to fstab mount: state: mounted # actively mounted and configured in fstab src: "{{ nfs.src }}" - path: "{{ nfs.mount-path }}" + path: "{{ nfs.mount_path }}" fstype: nfs opts: defaults # don't specify dump and fsck to keep the 0 (don't) variable From 3a2f073db53347debb2c6f58e71b110abe19b861 Mon Sep 17 00:00:00 2001 From: otthorn Date: Sun, 17 Jan 2021 13:27:43 +0100 Subject: [PATCH 071/126] fix typo --- roles/nfs-client/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nfs-client/defaults/main.yml b/roles/nfs-client/defaults/main.yml index 70224f5..d9bbd93 100644 --- a/roles/nfs-client/defaults/main.yml +++ b/roles/nfs-client/defaults/main.yml @@ -1,3 +1,3 @@ nfs: owner: root - groupe: root + group: root From d49ad0f8d8ba3facd120f4511269ad8fa2e02a39 Mon Sep 17 00:00:00 2001 From: otthorn Date: Sun, 17 Jan 2021 13:27:55 +0100 Subject: [PATCH 072/126] oupsie, reverse this --- mailserver.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mailserver.yml b/mailserver.yml index 8e76fe9..56ac56a 100755 --- a/mailserver.yml +++ b/mailserver.yml @@ -2,7 +2,7 @@ --- # Deploy mail server - hosts: mail.auro.re - roles: | + roles: - mail-utils - mail-certificates - nfs-client From 155daedd248c0393e48f4c0a0113712241cd9cc5 Mon Sep 17 00:00:00 2001 From: otthorn Date: Sun, 17 Jan 2021 16:40:28 +0100 Subject: [PATCH 073/126] Agree to Letsencrypt TOS --- roles/mail-certificates/templates/conf.ini.j2 | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 roles/mail-certificates/templates/conf.ini.j2 diff --git a/roles/mail-certificates/templates/conf.ini.j2 b/roles/mail-certificates/templates/conf.ini.j2 new file mode 100644 index 0000000..cdcd8db --- /dev/null +++ b/roles/mail-certificates/templates/conf.ini.j2 @@ -0,0 +1,26 @@ +# {{ ansible_managed }} + +# Pour appliquer cette conf et générer la conf de renewal : +# certbot --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly + +# Use a 4096 bit RSA key instead of 2048 +rsa-key-size = 4096 + +# Always use the staging/testing server +# server = https://acme-staging.api.letsencrypt.org/directory + +# Uncomment and update to register with the specified e-mail address +email = {{ certbot.mail }} + +# Uncomment to use a text interface instead of ncurses +text = True + +# Use nginx challenge +authenticator = standalone + +# Accept TOS +agree-tos = True + +# Wildcard the domain +cert-name = {{ certbot.certname }} +domains = {{ ", ".join(certbot.domains) }} From 769dc5619b3227cb83cd9a27b5f6b12eb8ac525a Mon Sep 17 00:00:00 2001 From: otthorn Date: Sun, 17 Jan 2021 17:02:05 +0100 Subject: [PATCH 074/126] Add the mail-certificate role --- roles/mail-certificates/tasks/main.yml | 28 ++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 roles/mail-certificates/tasks/main.yml diff --git a/roles/mail-certificates/tasks/main.yml b/roles/mail-certificates/tasks/main.yml new file mode 100644 index 0000000..64e6c63 --- /dev/null +++ b/roles/mail-certificates/tasks/main.yml @@ -0,0 +1,28 @@ +--- +# Very similar to the certbot role, but without nginx +# Install Letscrypt tools to generate and manage certificates +- name: Install Letsencrypt + apt: + name: + - certbot # letsencrypt + - ca-certificates # just in case + update_cache: true + +# Create the configuration directory for letsencrypt +- name: Create /etc/letsencrypt/conf.d + file: + path: /etc/letsencrypt/conf.d + state: directory + mode: 0755 + +# Configure certbot +- name: Add certbot configuration + template: + src: "conf.ini.j2" + dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" + mode: 0644 + register: certbot_config + +- name: Generate new certificates if the configuration changed + shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" + when: certbot_config.changed From facb7365fcac2827d0949a468a8d6d2e8d516c6d Mon Sep 17 00:00:00 2001 From: otthorn Date: Sun, 17 Jan 2021 17:02:52 +0100 Subject: [PATCH 075/126] Please linter --- roles/nfs-client/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/nfs-client/defaults/main.yml b/roles/nfs-client/defaults/main.yml index d9bbd93..6c55400 100644 --- a/roles/nfs-client/defaults/main.yml +++ b/roles/nfs-client/defaults/main.yml @@ -1,3 +1,4 @@ +--- nfs: owner: root group: root From cbdde70c2a18ab37531d46760e58aba0d2f1a9f9 Mon Sep 17 00:00:00 2001 From: otthorn Date: Sun, 17 Jan 2021 23:48:36 +0100 Subject: [PATCH 076/126] Starting to try out postfix config --- mailserver.yml | 2 +- roles/postfix/templates/main.cf.j2 | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/mailserver.yml b/mailserver.yml index 56ac56a..124663d 100755 --- a/mailserver.yml +++ b/mailserver.yml @@ -6,7 +6,7 @@ - mail-utils - mail-certificates - nfs-client -# - postfix + - postfix # - dovecot # - rspamd # - mail-fail2ban diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2 index 82aacd5..97412c2 100644 --- a/roles/postfix/templates/main.cf.j2 +++ b/roles/postfix/templates/main.cf.j2 @@ -19,10 +19,8 @@ readme_directory = no compatibility_level = 2 # Send mail as user@{{ myorigin }} -# myorigin = auro.re myorigin = {{ myorigin }} -#myhostname = mail.adm.auro.re myhostname = {{ myhostname }} mydestination = $myhostname localhost.{{ myorigin }} localhost {{ myorigin }} From 946b3c973e54aea3c4489fd3dc222d1000d9b724 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Thu, 28 Jan 2021 00:07:23 +0100 Subject: [PATCH 077/126] Apt retry mechanism --- roles/dovecot/tasks/main.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml index 8e4ce5f..74669f9 100644 --- a/roles/dovecot/tasks/main.yml +++ b/roles/dovecot/tasks/main.yml @@ -2,6 +2,7 @@ # Install and configure Dovecot - name: Install Dovecot apt: + update_cache: true name: - dovecot-core - dovecot-imapd @@ -9,7 +10,9 @@ - dovecot-lmtpd - dovecot-ldap - dovecot-pop3d - update_cache: true + register: apt_result + retries: 3 + until: apt_result is succeeded # Create the vmail user with UID and GID 5000 - name: Create vmail user From 46c8b82a575a691f805a89653f0cf06fd3984cfb Mon Sep 17 00:00:00 2001 From: Otthorn Date: Thu, 28 Jan 2021 00:11:36 +0100 Subject: [PATCH 078/126] Config outside of conf.d --- roles/dovecot/tasks/main.yml | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml index 74669f9..053e154 100644 --- a/roles/dovecot/tasks/main.yml +++ b/roles/dovecot/tasks/main.yml @@ -40,15 +40,27 @@ group: vmail mode: 0770 -# Add the Dovecot configuration files -- name: Add Dovecot configuration +# Add the Dovecot configuration files (conf.d) +- name: Add Dovecot configuration in conf.d template: src: "{{ item }}.j2" dest: "/etc/dovecot/conf.d/{{ item }}" mode: 0644 - notify: Reload dovecot loop: - "10-auth.conf" - "10-mail.conf" - "10-master.conf" - "10-ssl.conf" + - "10-loggin.conf" + - "auth-system.conf.ext" + notify: Reload dovecot + +# Add the Dovecot configuration file outside of conf.d +- name: Add Dovecot configuration outside of conf.d + template: + src: "dovecot-ldap.conf.ext.j2" + dest: "/etc/dovecot/dovecot-ldap-conf.ext" + mode: 0600 # only legible by root + owner: root + mode: root + notify: Reload dovecot From 74e722fef82ea6d06d8b585dafcdf8d06e259352 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Thu, 28 Jan 2021 00:13:08 +0100 Subject: [PATCH 079/126] fix typo --- roles/dovecot/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml index 053e154..ddaf92d 100644 --- a/roles/dovecot/tasks/main.yml +++ b/roles/dovecot/tasks/main.yml @@ -51,7 +51,7 @@ - "10-mail.conf" - "10-master.conf" - "10-ssl.conf" - - "10-loggin.conf" + - "10-logging.conf" - "auth-system.conf.ext" notify: Reload dovecot From 1ec03eda87aedae2a740b9eda5307557ed726bb0 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Thu, 28 Jan 2021 00:15:51 +0100 Subject: [PATCH 080/126] dovecot handlers --- roles/dovecot/handlers/main.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 roles/dovecot/handlers/main.yml diff --git a/roles/dovecot/handlers/main.yml b/roles/dovecot/handlers/main.yml new file mode 100644 index 0000000..d25b2b8 --- /dev/null +++ b/roles/dovecot/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Reload dovecot + service: + name: dovecot + state: reloaded From 9260b902d6f0a9dcb7c77a5252223e0f8b2478f9 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Thu, 28 Jan 2021 01:11:32 +0100 Subject: [PATCH 081/126] auth config --- roles/dovecot/templates/conf.d/10-auth.conf.j2 | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 roles/dovecot/templates/conf.d/10-auth.conf.j2 diff --git a/roles/dovecot/templates/conf.d/10-auth.conf.j2 b/roles/dovecot/templates/conf.d/10-auth.conf.j2 new file mode 100644 index 0000000..e850270 --- /dev/null +++ b/roles/dovecot/templates/conf.d/10-auth.conf.j2 @@ -0,0 +1,13 @@ +# {{ ansible_managed }} +# Dovecot configuration for Aurore +# More info at https://gitea.auro.re/Aurore/ansible +# And on the Dovecot wiki : https://doc.dovecot.org/ + +# Include every configuration file in conf.d +!include conf.d/*.conf + +# Include LDAP conf +!include auth-ldap.conf.ext + +# Authentification mechanisms +auth_mechanisms = plain login From 05e16f322608f33db11024c25d99ce0f1aa5a0d7 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Thu, 28 Jan 2021 01:24:50 +0100 Subject: [PATCH 082/126] maildir conf --- roles/dovecot/templates/conf.d/10-mail.conf | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 roles/dovecot/templates/conf.d/10-mail.conf diff --git a/roles/dovecot/templates/conf.d/10-mail.conf b/roles/dovecot/templates/conf.d/10-mail.conf new file mode 100644 index 0000000..b7046d4 --- /dev/null +++ b/roles/dovecot/templates/conf.d/10-mail.conf @@ -0,0 +1,13 @@ +# {{ ansible_managed }} +# Dovecot configuration for Aurore +# More info at https://gitea.auro.re/Aurore/ansible +# And on the Dovecot wiki : https://doc.dovecot.org/ + +# Mailbox locations and namespaces + +# Simple mail location +mail_location = maildir:~/Maildir + +# Plugins +mail_plugins = quota +#mail_plugins = quota mail_log notify # to be tested From f3eeb243bb569f20660f7c2d04f93cf7c43f6441 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Thu, 28 Jan 2021 01:27:22 +0100 Subject: [PATCH 083/126] renamed to fit jinja template --- roles/dovecot/templates/conf.d/{10-mail.conf => 10-mail.conf.j2} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename roles/dovecot/templates/conf.d/{10-mail.conf => 10-mail.conf.j2} (100%) diff --git a/roles/dovecot/templates/conf.d/10-mail.conf b/roles/dovecot/templates/conf.d/10-mail.conf.j2 similarity index 100% rename from roles/dovecot/templates/conf.d/10-mail.conf rename to roles/dovecot/templates/conf.d/10-mail.conf.j2 From f0a2bfd7401e6529c852260b40bbc23ed9ef4a7b Mon Sep 17 00:00:00 2001 From: Otthorn Date: Thu, 28 Jan 2021 01:34:09 +0100 Subject: [PATCH 084/126] Add IMAP/POP/SMTP auth conf --- roles/dovecot/templates/conf.d/10-master.conf.j2 | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 roles/dovecot/templates/conf.d/10-master.conf.j2 diff --git a/roles/dovecot/templates/conf.d/10-master.conf.j2 b/roles/dovecot/templates/conf.d/10-master.conf.j2 new file mode 100644 index 0000000..39b2421 --- /dev/null +++ b/roles/dovecot/templates/conf.d/10-master.conf.j2 @@ -0,0 +1,13 @@ +# {{ ansible_managed }} +# Dovecot configuration for Aurore +# More info at https://gitea.auro.re/Aurore/ansible +# And on the Dovecot wiki : https://doc.dovecot.org/ + +# IMAP/POP/STMP auth configuration + +# Postfix smtp-auth +unix_listener /var/spool/postfix/private/auth { + mode = 0660 + user = postfix + group = postfix +} From 910838c4169fe2e4456efaf59f8b95625efc1ec9 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Thu, 28 Jan 2021 03:15:45 +0100 Subject: [PATCH 085/126] Add ssl conf --- roles/dovecot/templates/conf.d/10-ssl.conf.j2 | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 roles/dovecot/templates/conf.d/10-ssl.conf.j2 diff --git a/roles/dovecot/templates/conf.d/10-ssl.conf.j2 b/roles/dovecot/templates/conf.d/10-ssl.conf.j2 new file mode 100644 index 0000000..79ac059 --- /dev/null +++ b/roles/dovecot/templates/conf.d/10-ssl.conf.j2 @@ -0,0 +1,13 @@ +# {{ ansible_managed }} +# Dovecot configuration for Aurore +# More info at https://gitea.auro.re/Aurore/ansible +# And on the Dovecot wiki : https://doc.dovecot.org/ + +# SSL and certificates configuration + +# Cetificates location +ssl_cert = Date: Fri, 29 Jan 2021 00:16:42 +0100 Subject: [PATCH 086/126] dovecot ldap conf --- .../templates/dovecot-ldap.conf.ext.j2 | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 roles/dovecot/templates/dovecot-ldap.conf.ext.j2 diff --git a/roles/dovecot/templates/dovecot-ldap.conf.ext.j2 b/roles/dovecot/templates/dovecot-ldap.conf.ext.j2 new file mode 100644 index 0000000..f99e82e --- /dev/null +++ b/roles/dovecot/templates/dovecot-ldap.conf.ext.j2 @@ -0,0 +1,20 @@ +# {{ ansible_managed }} +# Dovecot configuration for Aurore +# More info at https://gitea.auro.re/Aurore/ansible +# And on the Dovecot wiki : https://doc.dovecot.org/ + +uris = {{ ldap_master_uri }} +dn = {{ ldap_dovecot_bind_dn }} +dnpass = {{ ldap_dovecot_password }} +base = {{ ldap_user_tree }} + +#user_attrs = homeDirectory=home, uidNumber=uid, gidNumber=gid +#user_filter = (&(objectClass=posixAccount)(uid=%u)) + +pass_attrs = uid=user, userPassword=password +pass_filter = (&(objectClass=posixAccount)(uid=%u)) + +# Convert LDAP lookup to lowercase +# would be needed if re2o did not already had lowercase enforced by a +# validator +#auth_username_format = %Lu From f14da4530536886936344c3f8fe5eadab1d44b47 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Fri, 29 Jan 2021 00:20:02 +0100 Subject: [PATCH 087/126] dovecot vars --- group_vars/all/vars.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 6b3c1e5..2f6be0e 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -15,6 +15,8 @@ ldap_matrix_password: "{{ vault_ldap_matrix_password }}" ldap_replica_password: "{{ vault_ldap_replica_password }}" ldap_admin_password: "{{ vault_ldap_admin_password }}" ldap_admin_hashed_passwd: "{{ vault_ldap_admin_hashed_passwd }}" +ldap_dovecot_bind_dn: "cn=dovecot,ou=service-users,{{ ldap_base }}" +ldap_dovecot_password: "{{ vault_ldap_dovecot_password }}" # Databases postgresql_services_url: 'services-bdd.adm.auro.re' From 482bf1f8bcb8083aae4f512c1b3b15d9f4bd11a1 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Fri, 29 Jan 2021 00:27:00 +0100 Subject: [PATCH 088/126] Add dovecot bind password into the vault --- group_vars/all/vault.yml | 347 ++++++++++++++++++++------------------- 1 file changed, 175 insertions(+), 172 deletions(-) diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 8698d49..9d00213 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,173 +1,176 @@ $ANSIBLE_VAULT;1.1;AES256 -37356434643231623932626166316532633039323736303737363933373263623433653031356331 -3431376135666263353431396663363539333164643462340a383832373965653835633937373432 -31393936666535633137333739346135316463636166343063666363633966626639663265373935 -3865353439646331640a326137373039666263366330626537363566613135346263663761663732 -65363064356530373430633562623132373565326364656631313639376131313563316136623966 -35386236313238396436303765366365346335353166376164353936313536393665326439653861 -35623832623365386232353163656339333031323937383862656532636436386334643362653532 -66636365316161316536636131613438356464636163386233333333313531353935346264366231 -36346561303163663735386533333835313231333965633737376537396531323935383134643563 -32643566323564363762306438376431383237313633376437333339623936376664346137333561 -65656336303964623964616230306332636535343833336535303832666137663865336564623233 -33653361646533613462373163363736386634663038666232313432653037643330653639666663 -61643533363938366634616632626131663164393338623539636430363166323935396439373337 -34343930336631326634366331353836323465613934383231313364383061636631346633383634 -36646439336530353761613831343236373936666632333965323964643862616633303732333230 -36313132323965323831336265306565346461343235383864613762343536653434333163616663 -34303731666632666630313763323239633435386330363339363631646432633762383464303837 -39336630343833646666383237376238316264393262336136393662363261643961666332623138 -65633661343265643731396663376262613566613135663161393833373766396632303734336261 -30326436363237653431396563326264646335643536616530343863623130643666653733323331 -30616363306636396439376661633035326430313363656433636465623737636565333436653031 -33326662336239633930303665373965393037303238393630343338383362363439386634613838 -61356533383032656663613966383131623333613639633062343639393865376433316464653738 -64346465633263383662313934343732363536343662653532393837383062333565636662626634 -30393364336566343264373538386230623136316632666237646431333233376562356439626536 -61613835346636346139316665623463363339623863373961386661656361363232396533636233 -61326236643162623331633066333138326533323835366534336361396263353432373532326437 -30666234666235343739343834316234346630373661666634616461383639363664656534663636 -33376237313333393632313839373436616631336130393930373136623335666235386162376464 -31646437393336313433643534363138636461373837336634646464356437306265353731663362 -64316530326536333235386531613931303238363062383639626238346337356539323938663464 -62613432376563616238303938663933363564613532333633346132373361346231643130653833 -62313631313563343437373032626339366538313764333666353633363637333965633533373633 -33353134373730636638633432313932363264623531303135636566653038396131633230343839 -35303337613935666231303638663832663339626463353862616139346664356261656433313930 -65383336393934633036663261636434636461363161646239363135643536633836353965353462 -62636264373332643333356636616230376135363539393139383666363534626131663736393139 -36653862303066633365383435363637316262646338663437313435643334383835393238613763 -33656136646465373938653263376162633032336536613535356431393135396432636637356632 -31306132353632333833643434663930613936646233623935323761353461363139353238396633 -63363731613336643635333961336664343430353133373937396565343366363634653330663336 -62393866643665393232636232373964616335646363613466373666666661346139373938616463 -37613931613033323538323662356432306639626636666338666565343336323363633966316137 -32346538303935616265313461383731356462336435303936663931376133616365626466346435 -63313333643361363665653862663338376630613666356538616336643139666636663461323163 -35613365363032343831653639373866393635633363393961613339313234366232346662646132 -36636362356431366631373635613936653162323736303434353130343834323530393330613633 -66393130323637346561616435623562313037393161666236323834323836326161613963626236 -38343362343335343437656434303130626165646661393638336435343933326462343366323964 -39346433663533346262316461623732363963396161353139613663393264623335623832653436 -62306337653062666137373930303334643630623432303932303039343764633361613063643965 -34646133353132663662303665373836643238323932336663333730363137323532663164633862 -39383963336236646161653136626662313764373530623161663437373330666332316362623031 -66653832653035353662353638336239313336663765373966383030316137316135303134616439 -30386332366639653835663530643931326635373836663166313165633137623738636438663261 -34613135643363343232313061616337333562373764663733666666376233313534396132303536 -63643030623962626432653938336633313561303236363762353536613464353331373436666238 -65623961383736633934326165336637323630613032326163303436646530363063316334366665 -35303237613130326339306436343262313733663031333539343163323530653035356431386236 -63373564383233653165623034616262393966343262646461303562363763613261656235623533 -39643963646266623663343537663364633036373838313139313966663031376162666661363161 -36626332313535616638623837666565343734643037343761346238366665646461343532643434 -31356339613066646338306262323336373161326531326137353937343139386562383063666433 -61343861396465316663373963333237633736313735653138646366323334653963323831383864 -61636565333739663633623334336463643362343335663237393161383963373364303864393361 -61333935353634336637343961363237346565313633313366376336366139613563333336316565 -31653066323537646163666539356663633438386437386432313239356466356635303837326434 -66373934303932323732616563353566663766626335356662383732363266346636666231333864 -33663634313364353162666462383735653162383438393939306530393064626666366431633432 -63363139663632336333333562656339366133646630343533386535393234383638346532326132 -65326538373439373839656634613830656138643166616163663430323266366535646463303564 -38383537613964643761623330313563633939616432643134333266653038306136613962303162 -65393932353131323739333463363764346638633664383539616562353831653033633135656131 -35663136613835383538303134646631386331393032653539336632373439326238376233346238 -66623164643361646262373766353066633562343739393637653664623339333035323231663633 -66373134346231313239616534613065656563653662376434366161303163346533643866376266 -39383631396631633932653163343237313166633134346161653463393930613765373239303061 -33373466376563373739646130613566666132636666343266306135376636333730613034356430 -66373764376234363438613439643931323365636663376236666162643731646366623430373334 -32653962343839316534383034353535303839336361366666343961383930383237373164333065 -39643965386336393666633666376434303463633035373064383266646434343163396636343237 -66366561383237666566643035633635373966306464313765316665363532623638343030633733 -34663061663565303730613339623465653934363337396164383164363134373034356339643665 -38333662313862393631336533383631306130353963313337663031363061323762613966346333 -31356462336431336239353061653165376138326561346266353235636262613932633135303430 -64326536643334313262383132616434633131356537393263613761316535356631336461393930 -64386564306533656436653161383230313238396336656162656464663637336230663466323530 -34353730623033623866393266346134666230623139636132653739313738633037303563396162 -35366564376561306530353361616337386361326436366532656662376336373662636135663532 -38616631343733646564616264636239623136313037386561646632663463383430343632643935 -38663135346664626133373732306461383935366637303235316337376432626464396135343433 -31623230653464656538333263353061343761656638386537313163386132326635666531373334 -61313364646262346637623165643263313336626561376166326333333636303631353231373365 -31656664646330663063383135626534306338303161313438313162313866343035363234333432 -65613937373763623163653464636366316131653337346339626565643639663239313631336164 -39626263303361653864636433653038613938663037373735343637383733386230353663653865 -33663235613338636434303735386432383534663263656634353839663632343738376161393736 -35393062656533376261336130663235333766373832306563366538393763646339333334373063 -63396332303536336435323665316138613830306531356366383666343334323338616165306338 -61626364613062643131656239336466386664316661636664336466303931643236613761323130 -63656638633736383734313439366135613038326133646665303035646137393133636163393261 -66633864636362393630323436646233303664326634613235633438343930346538633466623064 -64643136326363356631343136366333613266336439326335323163306566313537646336383963 -35373936356137396366656237343432656236343339376538363339366334646130333030383464 -66333961643236653235663865353366313862633138376265366136636438633065653535663931 -35393166326337633337313465306565396161393534393563353166343935646362303465333833 -32326661633838333563663565643134616139353831343663313134306639656163653138383530 -63336462363862353935646563393766316665653561643765326161396439393866643565313161 -66343466313465343563316361643732313830633439336534316136303463366633653662643565 -33653533626531393536343033333433393032363862343661313836346561376565316361653032 -36613738663233333766613236613239336663323931653230313761643765666632363362643034 -39646130623161613332636330393936336532653861393935366266396536616465356362396635 -62643438643665326163366239386364633434383838613735396231383762316565373665363531 -32666131653961656566376631303239323262623330383438386164363162303662306535313162 -34343539636463626430386630653934306665333266336234313362343366633366373131383861 -31616535346236666264316535646236633363623533656332353037646231653236613664356362 -65656333303461646131366365323266656661343864633536396238333962393066336537353234 -31353337646131373533346161643432656361366464613437643230366261613662356435303339 -33623665373231656539326533353035383038633731386531633064623339653831306430333265 -35386538323561663433323939393564336539636432633738663337353937633837323062616266 -36363766373661356261643966623937633334303539343665343266386630363663663037396263 -61346330313665373533326437623838366634303335383433626137383434333166623138383931 -31643333366662333930393039333232613363313065633734303339323265323861633831646663 -33663934353664306665346631653561613463643265336431643532333533323764323937653934 -32356630383633666538386461653334343363656539383838613239626336366634383266323462 -38393534656635313739653461343835336134333166653463316464393063613831653837346663 -39626133643239353530303263663635326561306665363034393565326463343061313563366431 -39303333396166346138376530646532376333646636613664326536663133623532663462316439 -61343239623166616466316465653532646137336135656164386532623266386633326164336566 -65623436343531623133353366623763333137303132396435653632623534623061393036656161 -36373564306564363432373633326535383038623933343834386634653839353933343965366137 -34343334626661656265393461393339346139633136373936653630383732393461386463313263 -63366263333637363339323534636234386237393663316435323130663438343930336333643838 -34353264373261306439393732343530393765346161653562383939623234356562626664373263 -33343234366639663666346564383866623231356164396435363035373063643566326665373864 -32616131383530663033633866613236366264636564343462326265373762396364323232393131 -39636432356334353439333938643331366263353237633234643233373364393133366537653738 -63383531643334656537316663393235646331613365393330633064663939353633383035643866 -61376632636430646135363761393131626664326235316639646332366564396561633037363866 -65353563643632323364313134613339356563333431353931653738323162316666346466663266 -62653433666136613734623361363066336230326562663730643230616463613936633738643135 -66373935653939613537306265623532616133353365303433303562353831663534343165316362 -39613937326561383264323361666439613865316138386266393261616135346433323466333234 -33356138623132383063356633613066356161616662623961313562636636386463346266366137 -63396535353236623765626634663132633261643036333762323836636138643737373031653266 -37333836383937386238326162626166656134313165336437323834326635623036616130313539 -34356337666536666230333231326463343938396366353238313639656531663363636164626438 -30656439626361386633343236373733656334353061316239303764363236353639626637376534 -36313630613336633533613437663563656436356130336333346432616638343463316636326236 -30323737623330393565616532363835373766626432356137376561336261353864333266313033 -31663665626439336362363836613032393934613438333663373565393662663066353337343233 -31356261396664653865326532326136356134626631333530306633666538376630396163643761 -65636630346134353431646137613766326365613463373130666665663166356639333532326238 -32303238346632303831316631303733346433366665643234646439363737363462336539343534 -62623363353135303732613939613430363338313539616336656433356664343365663835626366 -62663232386638323265643133343433303133616437666139616337363036316135356333366533 -35666466303365623835663266373765393031643637333663663030366465333764653466373366 -38303863373864656431666434353064343166613132656266393939393163326631363931616637 -66396161633133646164646339396634623766643065306666373464323562363963333431636638 -66616166643762656433646661643931663639353237623461616561363164333634613338636336 -30626234333237366563663163366633666165343933316636646630653031393139393534376334 -64346166623061303930313432316665646266613834633139306662343537653736393134623032 -62643537393239643265663433653737386464353130303130323538626164306637323665623736 -39626238333038366263336630373139343064303833646634313331653033396364646462356639 -62333331336561373839636631363934653363386365363132646464653363313866616435633138 -34623638666534663131616631306566303365623339386137623666633833393134393735623264 -35323330366134613635656438323566346263306231343536306539633366653062316638396532 -62306133386530386436633661356331323261353738623865333531363036633535643537393362 -62396565636566343932373361373163356639313236306161366237356264336330366130333530 -63613363313930386438343330376463626438343439313866653039363036316566613932313230 -63323330373866613032343235623334336635343062623461366263623033353335623137356439 -39393834343230363362 +66303361306465306436306562636265303832353830313933363965316261376162313738653737 +3334363661316563633238316632336463323737633066610a306236343636656261623835343466 +39386437363564623661333465386338613632316563373164363839623138336165343834313237 +6433343439383431360a633139363034623861396633316632336131333137626239646639326131 +65613236363733346330636565303039613737366263356230313734383033383435343433386536 +30653263396339656337626239303662326134373231303364613066656339376662643934323466 +30643261393463373063623865343537653862353766323538613731353534363639616438313663 +66366133643462333935636231636638326364636334613430333062616264663961326362613466 +66313730363933653631646638616166343030626465336361313239323731356534313963613530 +65383735626234663261393834313232626239666135313566353839616162323732323265633031 +62393862663438313237663335396332613661313864303630653533343362333834356262363465 +30666232356539386437353438643038333766363362653432366263616338393066363532633064 +63646561653264393162303430346662623536363364383862366264393532613461303935653261 +39376462623561626336306435323934323130613031623865656432626233616563393365343036 +37643463666436386230653339613463633133333661356564646234653632313931333765383666 +39646331383939343663306634393531646265363531326636326636616632643437343566656464 +64643638616264376130656637386134396161306636333064633731646234396566303934626332 +66393466626137336265653933346362396639383064393663613866333337653166343262646536 +61333864373737333133626438646538353338663531323961666335333166613363653230643139 +38616462306461356135306164376332313538613465316563663566373533396635346635646134 +31386661306533383130633130346539303666316663333762383131623535343038613963353336 +32336135366435643463613962383833666130363765326631613963363266626633643966663063 +33363235353765623961346331393963653130663434356234336538626438616334613761636161 +32346234643531396530653636626531653033393863383963663938646135616238393861373738 +30346664646465666666333165336636616265303265393236626534343163353633643737366264 +63303937306637643033663333353633346166636361323538393063353438353135303665616663 +34613230383836343861613661356162363831623363633435646234353839663530363936356238 +63383038616631666633653032613435316265626137643730666539393561373264613663656464 +30613033373435313036633938353461623335396264313236623065323339623537613164316366 +33356432646438636530353230333762346165336661393038666138356561333363613563656665 +34306136393233346532303461393736636561316231626231643633333938656435663638306261 +33393064333662336466313461363638393339373637303735663736353537363364663235363263 +36623663636235363332616433626266653330393633326339376562636165323539313532363535 +64386136393631656665343337333738653664613966363361313931313763323563383265623935 +31643532346363656462646436343761353938626661383336636436373233343530353130626463 +36346330626432376338306339396563316233313836383863303232396439336436363833383063 +39663864306533376630623334386336663237666635336661383630616139633736393835666534 +61393036363763336632623236383236383639373662393761313834653833316332373733653830 +62616563386435396433653930653637643031636462633336663033306531356239346564663564 +30636462343263643236316635346163373765393262623365353933313065333532353562333932 +62656234656363306266386135313466376665663166623038616637663333353731313564356434 +61343235613639386364663533376362613364653562613431393862656265313432623532343965 +65326362323534346535326331613262653130623336653231323564376534336261643538333434 +31333830653933633562626364363364386630343364376337613436663030333865323433316163 +33356438366161626666653731386438643064656538373036393532396432396138353564313833 +34643231366439656439336534323039616364396137653661373761343635663366363134623032 +62313734313061353065613561613337373338623732326362363436616134343864643439363631 +38346339383864373635383462326466303635383661633665663362646165663934336632633838 +64373332356664663663613735663163336465353030383365346661326634373832656137393061 +34626363383964646439356338343439343336626237626366383663386161663037343339383066 +30356332623337626437313235623161373937663532613238353333326265663937653034616135 +64663731653965613933636561313730623030656666656232396433646563623137643661643132 +30383439343764396137313231353161323835393934373561623666653630656335366434636235 +36306162316464613365616330626433306335396130336266616566653661336335346566613763 +30373638353230313433333539306664323333646463333334366362613832376534356636383235 +30626263383036643034303465366137356665366238366663313837323937646631396262623331 +62323366623530663561643036643733323230343832633639663737356530643564643534666366 +64646339363235376561363835643166663735643333656230386565653234356565323135333731 +65313864316166383566386564303461343031356138386362633834316230396436306533306239 +62306132373535363931306664346637663561323530346339373234343633663062393361323532 +32653938623738383565353965656636336662323939346331396162623862613038633035643766 +30346431393237323735386337643062396433366434396531623130643038366465643132303532 +62366266393166333138643238383764656461623361326236333565373762316431373132356263 +30396263396264626330613734346361646531626531363639393431366636316135333566393561 +65393661333837633236396563333631663036376633666538306564333565653030303135313866 +32366234313532656437393964666438393737363437303562633937396437663062616636383564 +33393564643066383662323765346535616164633239636235656263336663633562646665393734 +31393232376662666431393064643161653730653263313536613963376561386536353536616163 +63316237636630306165346633646437636636626331303262663032653662333236646564613363 +63616263643266393861386166346139343237633232653734363465303935613264366130336261 +63333137633266306465363837646163323266363665396266363437303931353938653638343630 +61386561616663303330663634306235336432316365303461623665393338396434346533366130 +35303363643334613862613831366464616264386338373566613431303939623638656536306532 +31346365623766346566353564613761333563303233336139376639363634616564303336393737 +38333637376566393437383264386561386336653135663135356466663430383634313535626233 +65646131353961663064316434353564383163646166323832663662373031636531623736643566 +37336530636133363561643438663563353963373265333333386434336361326338646666636263 +64396438616335393338376632326162326530636431323466646261623531303335656135313834 +34613764336234303230373737326662396562303439363535643562386661303861666530366332 +62316635343436396535656163393737343664333963356539313037306432643166393333353036 +63663266613332363364313863303465366136333862346164306335353838333830343261323365 +61373565666665663065666233316639326238323763333336383665653434623031383063613162 +33666532363638353130303665646536663139633463343764353962643838353037323865623236 +39613832616265376464363234363532323265366362316564343964636539656263376632313538 +38653066666165333866646437353264383638366138633538336434623139623264623033656661 +36643336343764613136653432316361343963313162326439656662386334356535373361303330 +31653963306365373633323937363332636633613266363064363535366136646639643632343031 +34393363373861613863313039393336333165386637393265333439396230643735363230363530 +61643036353062643164663063343930613536653762633231333931646239343661343738386232 +66373934643837323266623866393166373837323034373662306565623534396562326635323362 +31613138613261626231663330626664376539366165353836343039336138623931643537363931 +62313862313164306337383465333464313966656538643836643639653632663564633232343362 +61323033316630616536633938393735343332653965656565663163396335643738646463303130 +64363334326165653962656534313939666230373362316438346139356266616566346462356162 +61316233346463376162356461623734313431623330633239353730643964616662383966323932 +35373962663333653738616562396638633136376635383032313634333931626530393532663531 +30356232626566386632356334393939343262393536666130333537646338343063313565623163 +64383337303665613630393164383337346132346462373338323933316231386233323061353661 +64336337376231383035653861373639373763633337396236373161613833303630316663626331 +62633336383834363033316539336261346137303463643337393465393339663966653464336162 +66633832383734373635356165343336323866663735353931626466613361636632313437326566 +36386631653935633036373831643763656564643138303564306630396539373536383261663366 +63333061333431626465353839343564346331323961663939373538636261343336663461336566 +61343231633064336561666362633739636435633663653432393862356232356434356439343936 +35326237313033363031336162303436383733626365373832333438393436663938316366343161 +65656566353535363664386336383137313962333339396530356361363630353365366532656464 +39353639626639653535316665383962646331326463353663383630633961353031396131393562 +64663661396330356664316536623666383762623934306532636562663038336165376262633661 +30373531356163386531623738373837366666323637333932393131366531316439643338373230 +39663131313531343736353666376532326566313963623432643965646666333939613538643463 +66333762306162623963306136343930306638383933333835626231616466633561633766383564 +36653163366336666565626665323966373434383432303430306632333636353337386265323534 +61306435356164313731393862383531646665346134616330303237396136313765313233313434 +35393065363264323232323537363237303330386635346263306463636233393461393232306534 +34636138333038366165343434323937363864366463326330353438313662323035653965383138 +34646331356237613461393464386465303834373536336666626539313431303635653831303237 +66643536336330303438393161613833346337336333636137336435333830386137653139386665 +34636463313438323038616134383932646266656434633861363331393634393030356562646134 +36653830326330353962393736393566393839366132643163303862316566633838373537613531 +30396636333564623930313636363762636437373138313835393362346237353731316662343661 +36636536643534636632646463376333346230383866353736393535313931313066656231336234 +65333935653537613239663166303636356466653337643362313834303634623535653166613138 +33316638313233613239386235383737623361376132346666393661393464613963616233613033 +35386534353462386238313833666234633662353166303463333463346636646565313333613866 +62313066366131353961323761306461653732393737386539646461346133626363303563353035 +63313536646234396433306361366338386539326366316163363132326230366632383032646233 +35626138326633653032393263326261313761623437336630646634636463613533353239353734 +65363236373038623965353166656131313835373834386635656361323931653237393336333938 +38373737613966356366313636656366363031396639623633373162363363373830363564356336 +37373537323462633337663462666637363661313166323038623665393562663862383161383363 +64366663656537663837373662313564663033333663633333613733656662303639313630623162 +65663165363164343364633132376538653834323764646664626266343534393763663936616339 +37336336356164613534653862626230356635333361326266323365353665666531343337613331 +61303731313431386633616230393562373331643966306161343730336539313935306662343865 +39303237653733663162303664386237376266333963663034636564363032373235646430363837 +38636261613564323565336639623533343964663733366138303635303833633738326165643938 +38616364663737333535346661356333326238303439626138303465663932393839653362393432 +33613236316161323135373162333866666136623062373037383665633034356534333530643037 +33363466643030323061373633393233383838616631636266323165656137636532626136353561 +64663936396364613236363663316534366162623735336235643631373263616330353036623333 +32393334663663393264376630626630653962393632353239356236626334633833306335386333 +30356630306630323334663334363063343462383837393663636133343465336537353433663536 +66313265613032343838633164633366396236343136303163353365343032353239376539393965 +32316361663438623731336537393135336465336161646661366565356338326537646561376434 +36626332303661373561306338666533633435393433393832656166656264376266363035366637 +64346432336339396636353930363263653838343266623430613730373235376538366465373764 +31326537383336633434663231663865353763323235623866633339393633323836366637303536 +62313139646562616339356336663838386439313531333030643032333838343332383533663134 +32323935376462646130346631656362373035346436376266653164303263653566303037393136 +36313038303862373662356662663437353265326433653330343437316230646338306639646532 +35653732306239653133656361333330333634376332323737303831666461346165616138663637 +63376263333365623037616336303038613536303163343930396635386536363936346465326137 +63653835623135353161643765643563396636313635306461376531626332333335393661646431 +33323430653464396230366465343236303033356432643066303730323132306238643737376533 +65643232323138313562346661396361363730643736626166386664313732326136373531663466 +36383630636161376431393135373863356137353737306166393934656437363063363630393864 +62663464623932616532636231643964396533396230363837383235666561663032663938373165 +32313931373935316137643937623161306330653161336138363562313033613132306164623364 +38336435333432323237353734393666646361626535393665306662393831393765636265373938 +61303832343631313634393037356662643162643233363731386265323862383034623564393661 +30646566643336323038633161356437613666626431613762363530343166633735383365323462 +36336364616531393031326361626638323834353365666437363466653234316532396662343365 +63393331336336636363313438386461303838306539303161333433313037373361366336653462 +65626531646338626532646563346566626536643166313432363231343163313039323461633265 +61396263303433383830333865366537633066366231393034623233633436316133303030653236 +64366638353634666661666534363763356164333065313136613761626262383239646539626330 +31636665326134653836626364616161636265393534666138386234373635313834343338646139 +39363432643962623339636463346264343530666133656361316437333837346236353532613131 +36626562326536303263373361326565326364363934343430313662376464303532346361653563 +62333238633765363363363265303438396631303463376561383832643633353065366633633364 +65663634613638336638376632353733646536313839313335383939613565623463313534633335 +33333139343633353830663434643139663839323364643235623832386536633264373434336133 +63303461383063313738626431663361633730343730623865613936373232616663373636646338 +31376261376139666531376663613331366539303133353564333036336239343233666238303361 +303137643632666133393733336431393664 From 5c7537f4ac032d31cca2383b436c4fdcda64e12f Mon Sep 17 00:00:00 2001 From: Otthorn Date: Fri, 29 Jan 2021 00:55:02 +0100 Subject: [PATCH 089/126] Add dovecot role to the mailserver --- mailserver.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mailserver.yml b/mailserver.yml index 124663d..ca00641 100755 --- a/mailserver.yml +++ b/mailserver.yml @@ -7,7 +7,7 @@ - mail-certificates - nfs-client - postfix -# - dovecot + - dovecot # - rspamd # - mail-fail2ban # From 8436e64b3a6757bdc92029621bcc7746fa09ebd1 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Fri, 29 Jan 2021 00:56:08 +0100 Subject: [PATCH 090/126] reload -> restart --- roles/dovecot/handlers/main.yml | 4 ++-- roles/dovecot/tasks/main.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/dovecot/handlers/main.yml b/roles/dovecot/handlers/main.yml index d25b2b8..8f8b702 100644 --- a/roles/dovecot/handlers/main.yml +++ b/roles/dovecot/handlers/main.yml @@ -1,5 +1,5 @@ --- -- name: Reload dovecot +- name: Restart dovecot service: name: dovecot - state: reloaded + state: restarted diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml index ddaf92d..9b66d05 100644 --- a/roles/dovecot/tasks/main.yml +++ b/roles/dovecot/tasks/main.yml @@ -53,7 +53,7 @@ - "10-ssl.conf" - "10-logging.conf" - "auth-system.conf.ext" - notify: Reload dovecot + notify: Restart dovecot # Add the Dovecot configuration file outside of conf.d - name: Add Dovecot configuration outside of conf.d From b8aa50716618a2699213ff859a7063500381a714 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Fri, 29 Jan 2021 00:57:24 +0100 Subject: [PATCH 091/126] fix typo --- roles/dovecot/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml index 9b66d05..68e6387 100644 --- a/roles/dovecot/tasks/main.yml +++ b/roles/dovecot/tasks/main.yml @@ -62,5 +62,5 @@ dest: "/etc/dovecot/dovecot-ldap-conf.ext" mode: 0600 # only legible by root owner: root - mode: root - notify: Reload dovecot + group: root + notify: Restart dovecot From 5732fef21e664d3d1ae1d7c97a1eac9e1d37fd5a Mon Sep 17 00:00:00 2001 From: Otthorn Date: Fri, 29 Jan 2021 01:01:10 +0100 Subject: [PATCH 092/126] rename roles to match regex set by linter --- roles/{mail-certificates => mail_certificates}/tasks/main.yml | 0 .../templates/conf.ini.j2 | 0 roles/{mail-utils => mail_utils}/tasks/main.yml | 0 roles/{nfs-client => nfs_client}/defaults/main.yml | 0 roles/{nfs-client => nfs_client}/tasks/main.yml | 0 5 files changed, 0 insertions(+), 0 deletions(-) rename roles/{mail-certificates => mail_certificates}/tasks/main.yml (100%) rename roles/{mail-certificates => mail_certificates}/templates/conf.ini.j2 (100%) rename roles/{mail-utils => mail_utils}/tasks/main.yml (100%) rename roles/{nfs-client => nfs_client}/defaults/main.yml (100%) rename roles/{nfs-client => nfs_client}/tasks/main.yml (100%) diff --git a/roles/mail-certificates/tasks/main.yml b/roles/mail_certificates/tasks/main.yml similarity index 100% rename from roles/mail-certificates/tasks/main.yml rename to roles/mail_certificates/tasks/main.yml diff --git a/roles/mail-certificates/templates/conf.ini.j2 b/roles/mail_certificates/templates/conf.ini.j2 similarity index 100% rename from roles/mail-certificates/templates/conf.ini.j2 rename to roles/mail_certificates/templates/conf.ini.j2 diff --git a/roles/mail-utils/tasks/main.yml b/roles/mail_utils/tasks/main.yml similarity index 100% rename from roles/mail-utils/tasks/main.yml rename to roles/mail_utils/tasks/main.yml diff --git a/roles/nfs-client/defaults/main.yml b/roles/nfs_client/defaults/main.yml similarity index 100% rename from roles/nfs-client/defaults/main.yml rename to roles/nfs_client/defaults/main.yml diff --git a/roles/nfs-client/tasks/main.yml b/roles/nfs_client/tasks/main.yml similarity index 100% rename from roles/nfs-client/tasks/main.yml rename to roles/nfs_client/tasks/main.yml From 522d286bdd573944fa0ef7d5dd81616801479089 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Fri, 29 Jan 2021 01:03:18 +0100 Subject: [PATCH 093/126] Fix mode, shoudl always be set --- roles/postfix/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml index 46820e7..c1a056a 100644 --- a/roles/postfix/tasks/main.yml +++ b/roles/postfix/tasks/main.yml @@ -10,4 +10,5 @@ template: src: main.cf.j2 dest: /etc/postfix/main.cf + mode: 0644 notify: Restart postfix service From f8774587c2c2b71ae9fc19df50e7e2698833ef25 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Fri, 29 Jan 2021 23:44:20 +0100 Subject: [PATCH 094/126] use underscores instead of dashes inside role names --- mailserver.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/mailserver.yml b/mailserver.yml index ca00641..d557d2a 100755 --- a/mailserver.yml +++ b/mailserver.yml @@ -3,13 +3,13 @@ # Deploy mail server - hosts: mail.auro.re roles: - - mail-utils - - mail-certificates - - nfs-client + - mail_utils + - mail_certificates + - nfs_client - postfix - dovecot # - rspamd -# - mail-fail2ban +# - mail_fail2ban # # Make OVH server send mails through proxy ? # Add multiple MX From 486216b8ff6fb40ce1816d564e6ae57958cd3979 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Fri, 29 Jan 2021 23:59:53 +0100 Subject: [PATCH 095/126] use command instead of shell when no shell functionality is required --- roles/mail_certificates/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mail_certificates/tasks/main.yml b/roles/mail_certificates/tasks/main.yml index 64e6c63..76f4b9c 100644 --- a/roles/mail_certificates/tasks/main.yml +++ b/roles/mail_certificates/tasks/main.yml @@ -24,5 +24,5 @@ register: certbot_config - name: Generate new certificates if the configuration changed - shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" + command: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" when: certbot_config.changed From 495f4c4343680388d00b33685e568894f60abb63 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Sat, 30 Jan 2021 00:02:28 +0100 Subject: [PATCH 096/126] User handlers to run when something changed --- roles/mail_certificates/handlers/main.yml | 3 +++ roles/mail_certificates/tasks/main.yml | 6 +----- 2 files changed, 4 insertions(+), 5 deletions(-) create mode 100644 roles/mail_certificates/handlers/main.yml diff --git a/roles/mail_certificates/handlers/main.yml b/roles/mail_certificates/handlers/main.yml new file mode 100644 index 0000000..cc3f463 --- /dev/null +++ b/roles/mail_certificates/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: Generate certificates + command: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" diff --git a/roles/mail_certificates/tasks/main.yml b/roles/mail_certificates/tasks/main.yml index 76f4b9c..2a4e30f 100644 --- a/roles/mail_certificates/tasks/main.yml +++ b/roles/mail_certificates/tasks/main.yml @@ -21,8 +21,4 @@ src: "conf.ini.j2" dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" mode: 0644 - register: certbot_config - -- name: Generate new certificates if the configuration changed - command: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" - when: certbot_config.changed + notify: Generate certificates From 32adecd5c1a14f422e9382d6d2c99cada326e857 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Sat, 30 Jan 2021 00:25:15 +0100 Subject: [PATCH 097/126] add local_network variable --- group_vars/all/vars.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 2f6be0e..01dd26e 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -97,3 +97,4 @@ is_aurore_host: "{{ 'aurore_vm' in group_names }}" myorigin: "auro.re" # myhostname should be the FQDN (Fully Qualified Domain Name) myhostname: "mail.adm.auro.re" +local_network: "10.128.0.0/24" From e26bc5f8c1849c80d602ed40e41c02ca7b10bce9 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Sat, 30 Jan 2021 00:30:35 +0100 Subject: [PATCH 098/126] fix typo and indentation problem --- roles/dovecot/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml index 68e6387..81c10ed 100644 --- a/roles/dovecot/tasks/main.yml +++ b/roles/dovecot/tasks/main.yml @@ -10,16 +10,16 @@ - dovecot-lmtpd - dovecot-ldap - dovecot-pop3d - register: apt_result - retries: 3 - until: apt_result is succeeded + register: apt_result + retries: 3 + until: apt_result is succeeded # Create the vmail user with UID and GID 5000 - name: Create vmail user user: name: vmail uid: 5000 - gid: 5000 + group: 5000 home: /var/vmail # Create mail user seive directory with right ownernship and rights From ab124e560a57b9d104807f74de814206df726424 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Sat, 30 Jan 2021 00:34:54 +0100 Subject: [PATCH 099/126] Fix indentation... again --- roles/dovecot/tasks/main.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml index 81c10ed..91630d7 100644 --- a/roles/dovecot/tasks/main.yml +++ b/roles/dovecot/tasks/main.yml @@ -46,14 +46,14 @@ src: "{{ item }}.j2" dest: "/etc/dovecot/conf.d/{{ item }}" mode: 0644 - loop: - - "10-auth.conf" - - "10-mail.conf" - - "10-master.conf" - - "10-ssl.conf" - - "10-logging.conf" - - "auth-system.conf.ext" - notify: Restart dovecot + loop: + - "10-auth.conf" + - "10-mail.conf" + - "10-master.conf" + - "10-ssl.conf" + - "10-logging.conf" + - "auth-system.conf.ext" + notify: Restart dovecot # Add the Dovecot configuration file outside of conf.d - name: Add Dovecot configuration outside of conf.d @@ -63,4 +63,4 @@ mode: 0600 # only legible by root owner: root group: root - notify: Restart dovecot + notify: Restart dovecot From 012a6076f3c0b5a7b39b36780c362e7d2b1ad066 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Sat, 30 Jan 2021 00:38:15 +0100 Subject: [PATCH 100/126] fix conf.d template files path --- roles/dovecot/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml index 91630d7..108ca58 100644 --- a/roles/dovecot/tasks/main.yml +++ b/roles/dovecot/tasks/main.yml @@ -43,7 +43,7 @@ # Add the Dovecot configuration files (conf.d) - name: Add Dovecot configuration in conf.d template: - src: "{{ item }}.j2" + src: "conf.d/{{ item }}.j2" dest: "/etc/dovecot/conf.d/{{ item }}" mode: 0644 loop: From c36e52c26351fd8cdd5add861f92bcf3690f3a53 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Sat, 30 Jan 2021 00:41:30 +0100 Subject: [PATCH 101/126] Add sane logging timestamp format --- roles/dovecot/templates/conf.d/10-logging.conf.j2 | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 roles/dovecot/templates/conf.d/10-logging.conf.j2 diff --git a/roles/dovecot/templates/conf.d/10-logging.conf.j2 b/roles/dovecot/templates/conf.d/10-logging.conf.j2 new file mode 100644 index 0000000..a2840ce --- /dev/null +++ b/roles/dovecot/templates/conf.d/10-logging.conf.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} +# Dovecot configuration for Aurore +# More info at https://gitea.auro.re/Aurore/ansible +# And on the Dovecot wiki : https://doc.dovecot.org/ + +# Prefix for each line written to log file. % codes are in strftime(3) format. +#log_timestamp = "%b %d %H:%M:%S " +log_timestamp = "%Y-%m-%d %H:%M:%S " From c1fc197da72f95eae70d72d6fa30efaee78d6830 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Sat, 30 Jan 2021 00:46:00 +0100 Subject: [PATCH 102/126] remove non-existant conf file from the role --- roles/dovecot/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml index 108ca58..24e1b01 100644 --- a/roles/dovecot/tasks/main.yml +++ b/roles/dovecot/tasks/main.yml @@ -52,7 +52,6 @@ - "10-master.conf" - "10-ssl.conf" - "10-logging.conf" - - "auth-system.conf.ext" notify: Restart dovecot # Add the Dovecot configuration file outside of conf.d From 4bcdbec9c409d3cbd3896a75d0b22ad5cf8235af Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Sat, 30 Jan 2021 00:56:17 +0100 Subject: [PATCH 103/126] Don't add conf.d/*.conf into a file that is itself already there! dumb dumb --- roles/dovecot/templates/conf.d/10-auth.conf.j2 | 3 --- 1 file changed, 3 deletions(-) diff --git a/roles/dovecot/templates/conf.d/10-auth.conf.j2 b/roles/dovecot/templates/conf.d/10-auth.conf.j2 index e850270..a6d6de4 100644 --- a/roles/dovecot/templates/conf.d/10-auth.conf.j2 +++ b/roles/dovecot/templates/conf.d/10-auth.conf.j2 @@ -3,9 +3,6 @@ # More info at https://gitea.auro.re/Aurore/ansible # And on the Dovecot wiki : https://doc.dovecot.org/ -# Include every configuration file in conf.d -!include conf.d/*.conf - # Include LDAP conf !include auth-ldap.conf.ext From 3b19ef06eed7454b41a63a476cb680a023a33a8f Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Sat, 30 Jan 2021 01:05:37 +0100 Subject: [PATCH 104/126] Add config in the right section --- roles/dovecot/templates/conf.d/10-master.conf.j2 | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/roles/dovecot/templates/conf.d/10-master.conf.j2 b/roles/dovecot/templates/conf.d/10-master.conf.j2 index 39b2421..4d91b7a 100644 --- a/roles/dovecot/templates/conf.d/10-master.conf.j2 +++ b/roles/dovecot/templates/conf.d/10-master.conf.j2 @@ -5,9 +5,12 @@ # IMAP/POP/STMP auth configuration -# Postfix smtp-auth -unix_listener /var/spool/postfix/private/auth { - mode = 0660 - user = postfix - group = postfix +service auth { + + # Postfix smtp-auth + unix_listener /var/spool/postfix/private/auth { + mode = 0660 + user = postfix + group = postfix + } } From 0d9de57a78fbe066bd8407561b86f0b0a61ffa76 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Sat, 30 Jan 2021 01:10:31 +0100 Subject: [PATCH 105/126] Add LMTP for Postfix-Dovecot communication --- roles/dovecot/templates/conf.d/10-master.conf.j2 | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/dovecot/templates/conf.d/10-master.conf.j2 b/roles/dovecot/templates/conf.d/10-master.conf.j2 index 4d91b7a..b6a7d10 100644 --- a/roles/dovecot/templates/conf.d/10-master.conf.j2 +++ b/roles/dovecot/templates/conf.d/10-master.conf.j2 @@ -5,6 +5,7 @@ # IMAP/POP/STMP auth configuration +# Authentification service auth { # Postfix smtp-auth @@ -14,3 +15,12 @@ service auth { group = postfix } } + +# Local LMTP +service lmtp { + unix listener /var/spool/postfix/private/dovecot-lmtp { + group = postfix + mode = 0600 + user = postfix + } +} From 477781e293e997b920b125ead475ac344424ba95 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Sat, 30 Jan 2021 01:14:53 +0100 Subject: [PATCH 106/126] Fix syntax: don't forget the underscore --- roles/dovecot/templates/conf.d/10-master.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/dovecot/templates/conf.d/10-master.conf.j2 b/roles/dovecot/templates/conf.d/10-master.conf.j2 index b6a7d10..6ba775b 100644 --- a/roles/dovecot/templates/conf.d/10-master.conf.j2 +++ b/roles/dovecot/templates/conf.d/10-master.conf.j2 @@ -18,7 +18,7 @@ service auth { # Local LMTP service lmtp { - unix listener /var/spool/postfix/private/dovecot-lmtp { + unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix From b8edf512f7717e4d3a3dfdf7a3b35e37d21c0819 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Wed, 3 Feb 2021 20:18:46 +0100 Subject: [PATCH 107/126] Enable Dovecot sieve --- roles/dovecot/templates/conf.d/20-lmtp.conf | 31 +++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 roles/dovecot/templates/conf.d/20-lmtp.conf diff --git a/roles/dovecot/templates/conf.d/20-lmtp.conf b/roles/dovecot/templates/conf.d/20-lmtp.conf new file mode 100644 index 0000000..4d40470 --- /dev/null +++ b/roles/dovecot/templates/conf.d/20-lmtp.conf @@ -0,0 +1,31 @@ +# {{ ansible_managed }} +# Dovecot configuration for Aurore +# More info at https://gitea.auro.re/Aurore/ansible +# And on the Dovecot wiki : https://doc.dovecot.org/ + +## +## LMTP specific settings +## + +# Support proxying to other LMTP/SMTP servers by performing passdb lookups. +#lmtp_proxy = no + +# When recipient address includes the detail (e.g. user+detail), try to save +# the mail to the detail mailbox. See also recipient_delimiter and +# lda_mailbox_autocreate settings. +#lmtp_save_to_detail_mailbox = no + +# Verify quota before replying to RCPT TO. This adds a small overhead. +#lmtp_rcpt_check_quota = no + +# Which recipient address to use for Delivered-To: header and Received: +# header. The default is "final", which is the same as the one given to +# RCPT TO command. "original" uses the address given in RCPT TO's ORCPT +# parameter, "none" uses nothing. Note that "none" is currently always used +# when a mail has multiple recipients. +#lmtp_hdr_delivery_address = final + +protocol lmtp { + # Space separated list of plugins to load (default is global mail_plugins). + mail_plugins = $mail_plugins sieve +} From 4d769ff6d3a1f769f0106a603cdb8a91c29d6987 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Wed, 3 Feb 2021 23:20:10 +0100 Subject: [PATCH 108/126] Add quota to dovecot --- roles/dovecot/templates/conf.d/90-quota.conf | 97 ++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 roles/dovecot/templates/conf.d/90-quota.conf diff --git a/roles/dovecot/templates/conf.d/90-quota.conf b/roles/dovecot/templates/conf.d/90-quota.conf new file mode 100644 index 0000000..431acfb --- /dev/null +++ b/roles/dovecot/templates/conf.d/90-quota.conf @@ -0,0 +1,97 @@ +# {{ ansible_managed }} +# Dovecot configuration for Aurore +# More info at https://gitea.auro.re/Aurore/ansible +# And on the Dovecot wiki : https://doc.dovecot.org/ + +## +## Quota configuration. +## + +# Note that you also have to enable quota plugin in mail_plugins setting. +# + +## +## Quota limits +## + +# Quota limits are set using "quota_rule" parameters. To get per-user quota +# limits, you can set/override them by returning "quota_rule" extra field +# from userdb. It's also possible to give mailbox-specific limits, for example +# to give additional 100 MB when saving to Trash: + +plugin { + #quota_rule = *:storage=1G + #quota_rule2 = Trash:storage=+100M + + # LDA/LMTP allows saving the last mail to bring user from under quota to + # over quota, if the quota doesn't grow too high. Default is to allow as + # long as quota will stay under 10% above the limit. Also allowed e.g. 10M. + #quota_grace = 10%% + + # Quota plugin can also limit the maximum accepted mail size. + #quota_max_mail_size = 100M +} + +## +## Quota warnings +## + +# You can execute a given command when user exceeds a specified quota limit. +# Each quota root has separate limits. Only the command for the first +# exceeded limit is executed, so put the highest limit first. +# The commands are executed via script service by connecting to the named +# UNIX socket (quota-warning below). +# Note that % needs to be escaped as %%, otherwise "% " expands to empty. + +plugin { + #quota_warning = storage=95%% quota-warning 95 %u + #quota_warning2 = storage=80%% quota-warning 80 %u +} + +# Example quota-warning service. The unix listener's permissions should be +# set in a way that mail processes can connect to it. Below example assumes +# that mail processes run as vmail user. If you use mode=0666, all system users +# can generate quota warnings to anyone. +#service quota-warning { +# executable = script /usr/local/bin/quota-warning.sh +# user = dovecot +# unix_listener quota-warning { +# user = vmail +# } +#} + +## +## Quota backends +## + +# Multiple backends are supported: +# dirsize: Find and sum all the files found from mail directory. +# Extremely SLOW with Maildir. It'll eat your CPU and disk I/O. +# dict: Keep quota stored in dictionary (eg. SQL) +# maildir: Maildir++ quota +# fs: Read-only support for filesystem quota + +plugin { + #quota = dirsize:User quota + #quota = maildir:User quota + #quota = dict:User quota::proxy::quota + #quota = fs:User quota +} + +# Multiple quota roots are also possible, for example this gives each user +# their own 100MB quota and one shared 1GB quota within the domain: +plugin { + #quota = dict:user::proxy::quota + #quota2 = dict:domain:%d:proxy::quota_domain + #quota_rule = *:storage=102400 + #quota2_rule = *:storage=1048576 +} + + +plugin { + quota = maildir:User quota + + quota_status_success = DUNNO + quota_status_nouser = DUNNO + quota_status_overquota = "452 4.2.2 Mailbox is full and cannot receive any more emails" +} From 49243202b2f4c524e712a1a482b11759f8c2ead0 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Thu, 4 Feb 2021 01:03:18 +0100 Subject: [PATCH 109/126] Add re2o mail server to the roles of the mailserver playbook --- mailserver.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mailserver.yml b/mailserver.yml index d557d2a..00dd0a5 100755 --- a/mailserver.yml +++ b/mailserver.yml @@ -8,8 +8,9 @@ - nfs_client - postfix - dovecot + - re2o-service-mail # - rspamd -# - mail_fail2ban +# - mail-fail2ban # # Make OVH server send mails through proxy ? # Add multiple MX From 3af1aa8a1898314b1fe97de1e6bba9e5abedbbdd Mon Sep 17 00:00:00 2001 From: Otthorn Date: Thu, 4 Feb 2021 01:30:14 +0100 Subject: [PATCH 110/126] Add re2o mail server --- roles/re2o-service-mail/tasks/main.yml | 43 ++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 roles/re2o-service-mail/tasks/main.yml diff --git a/roles/re2o-service-mail/tasks/main.yml b/roles/re2o-service-mail/tasks/main.yml new file mode 100644 index 0000000..1144480 --- /dev/null +++ b/roles/re2o-service-mail/tasks/main.yml @@ -0,0 +1,43 @@ +--- +- name: Create re2o mail-server directory + file: + path: /var/local/re2o-services/mail-server + state: directory + mode: '0775' + owner: root + group: root + +- name: Clone re2o mail-server repository + git: + repo: 'http://gitea.auro.re/aurore/re2o-mail-server.git' + dest: /var/local/re2o-services/mail-server + umask: '002' + +- name: Add API configuration + template: + src: config.ini.j2 + dest: /var/local/re2o-services/mail-server/config.ini + owner: root + group: root + mode: "0700" + +- name: Create generated directory + file: + path: /var/local/re2o-services/mail-server/generated + state: directory + mode: "0755" + owner: root + group: root + +- name: Deploy cron for re2o-mail-server + template: + src: cron.d/re2o-services-mail-server.j2 + dest: /etc/cron.d/re2o-services-mail-server + +- name: Deploy local aliases + template: + src: re2o-services/mail-server/mail-aliases/{{ item }}.j2 + dest: /var/local/re2o-services/mail-server/{{ item }}_local + loop: + - aliases + - virtuals From 5ae66dae15e14a75df937835ed6e91e2a85d9bb0 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Thu, 4 Feb 2021 01:38:49 +0100 Subject: [PATCH 111/126] Re2o API config --- roles/re2o-service-mail/templates/config.ini.j2 | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 roles/re2o-service-mail/templates/config.ini.j2 diff --git a/roles/re2o-service-mail/templates/config.ini.j2 b/roles/re2o-service-mail/templates/config.ini.j2 new file mode 100644 index 0000000..3db22a6 --- /dev/null +++ b/roles/re2o-service-mail/templates/config.ini.j2 @@ -0,0 +1,6 @@ +# {{ ansible_managed }} + +[Re2o] +hostname = {{ re2o_hostname }} +username = {{ re2o_api_username }} +password = {{ re2o_api_password }} From ed81571cb81b5ead3e911599f6d5ed4b0c069346 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Thu, 4 Feb 2021 01:46:55 +0100 Subject: [PATCH 112/126] add re2o service mail cron --- .../templates/cron.d/re2o-services-mail-server.j2 | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 roles/re2o-service-mail/templates/cron.d/re2o-services-mail-server.j2 diff --git a/roles/re2o-service-mail/templates/cron.d/re2o-services-mail-server.j2 b/roles/re2o-service-mail/templates/cron.d/re2o-services-mail-server.j2 new file mode 100644 index 0000000..cc35882 --- /dev/null +++ b/roles/re2o-service-mail/templates/cron.d/re2o-services-mail-server.j2 @@ -0,0 +1,2 @@ +{{ ansible_managed | comment }} +*/5 * * * * root /usr/bin/python3 /var/local/re2o-services/mail-server/main.py From 8b59794013b4d99d0a7daeee9ab4ff9cfc5805a2 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Thu, 4 Feb 2021 02:14:52 +0100 Subject: [PATCH 113/126] Add Re2o API vars --- group_vars/all/vars.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 01dd26e..acdc5cb 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -70,6 +70,9 @@ keepalived_password: "{{ vault_keepalived_password[apartment_block] }}" re2o_secret_key: "{{ vault_re2o_secret_key }}" re2o_db_password: "{{ vault_re2o_db_password }}" re2o_aes_key: "{{ vault_re2o_aes_key }}" +re2o_hostname: "re2o.auro.re" +re2o_api_username: "{{ vault_re2o_api_username }}" +re2o_api_password: "{{ vault_re2o_api_password }}" # Radius radius_secret_aurore: "{{ vault_radius_secrets.aurore }}" From cac03b51c013620145a7df50d81e147e13b36135 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Thu, 4 Feb 2021 02:24:35 +0100 Subject: [PATCH 114/126] Mail VM has a public addr now and FQDN is mail.auro.re --- group_vars/all/vars.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index acdc5cb..0bd2855 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -99,5 +99,5 @@ is_aurore_host: "{{ 'aurore_vm' in group_names }}" myorigin: "auro.re" # myhostname should be the FQDN (Fully Qualified Domain Name) -myhostname: "mail.adm.auro.re" +myhostname: "mail.auro.re" local_network: "10.128.0.0/24" From 95e67e8fe15ec71c6e688e9ea2be69a5e02a93bf Mon Sep 17 00:00:00 2001 From: Otthorn Date: Thu, 4 Feb 2021 13:02:52 +0100 Subject: [PATCH 115/126] Use correct re2o API vars (don't add them twice in vault, reuse them) --- group_vars/all/vars.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 0bd2855..5917a32 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -71,8 +71,8 @@ re2o_secret_key: "{{ vault_re2o_secret_key }}" re2o_db_password: "{{ vault_re2o_db_password }}" re2o_aes_key: "{{ vault_re2o_aes_key }}" re2o_hostname: "re2o.auro.re" -re2o_api_username: "{{ vault_re2o_api_username }}" -re2o_api_password: "{{ vault_re2o_api_password }}" +re2o_api_username: "service-user" +re2o_api_password: "{{ vault_re2o_serviceuser_passwd }}" # Radius radius_secret_aurore: "{{ vault_radius_secrets.aurore }}" From 59302b7fd822b5ff520f66e439eb6e26543df631 Mon Sep 17 00:00:00 2001 From: Otthorn Date: Thu, 4 Feb 2021 14:47:40 +0100 Subject: [PATCH 116/126] Don't reinvent the whell, use existing roles (have to be tested) --- mailserver.yml | 15 ++++++- roles/re2o-service-mail/tasks/main.yml | 43 ------------------- .../re2o-service-mail/templates/config.ini.j2 | 6 --- .../cron.d/re2o-services-mail-server.j2 | 2 - 4 files changed, 14 insertions(+), 52 deletions(-) delete mode 100644 roles/re2o-service-mail/tasks/main.yml delete mode 100644 roles/re2o-service-mail/templates/config.ini.j2 delete mode 100644 roles/re2o-service-mail/templates/cron.d/re2o-services-mail-server.j2 diff --git a/mailserver.yml b/mailserver.yml index 00dd0a5..f9725e7 100755 --- a/mailserver.yml +++ b/mailserver.yml @@ -8,10 +8,23 @@ - nfs_client - postfix - dovecot - - re2o-service-mail # - rspamd # - mail-fail2ban # # Make OVH server send mails through proxy ? # Add multiple MX # Configure DKIM, SPF, Greylisting, etc... + + +# Deploy Re2o mail service + - hosts: mail.auro.re + vars: + service_repo: https://gitea.auro.re/aurore/re2o-mail-server.git + service_name: mail-server + service_version: aurore + service_config: + hostname: re2o-test.adm.auro.re # use test instance for now, should be changed for prod! + username: service-user + password: "{{ vault_serviceuser_passwd }}" + roles: + - re2o-service diff --git a/roles/re2o-service-mail/tasks/main.yml b/roles/re2o-service-mail/tasks/main.yml deleted file mode 100644 index 1144480..0000000 --- a/roles/re2o-service-mail/tasks/main.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -- name: Create re2o mail-server directory - file: - path: /var/local/re2o-services/mail-server - state: directory - mode: '0775' - owner: root - group: root - -- name: Clone re2o mail-server repository - git: - repo: 'http://gitea.auro.re/aurore/re2o-mail-server.git' - dest: /var/local/re2o-services/mail-server - umask: '002' - -- name: Add API configuration - template: - src: config.ini.j2 - dest: /var/local/re2o-services/mail-server/config.ini - owner: root - group: root - mode: "0700" - -- name: Create generated directory - file: - path: /var/local/re2o-services/mail-server/generated - state: directory - mode: "0755" - owner: root - group: root - -- name: Deploy cron for re2o-mail-server - template: - src: cron.d/re2o-services-mail-server.j2 - dest: /etc/cron.d/re2o-services-mail-server - -- name: Deploy local aliases - template: - src: re2o-services/mail-server/mail-aliases/{{ item }}.j2 - dest: /var/local/re2o-services/mail-server/{{ item }}_local - loop: - - aliases - - virtuals diff --git a/roles/re2o-service-mail/templates/config.ini.j2 b/roles/re2o-service-mail/templates/config.ini.j2 deleted file mode 100644 index 3db22a6..0000000 --- a/roles/re2o-service-mail/templates/config.ini.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# {{ ansible_managed }} - -[Re2o] -hostname = {{ re2o_hostname }} -username = {{ re2o_api_username }} -password = {{ re2o_api_password }} diff --git a/roles/re2o-service-mail/templates/cron.d/re2o-services-mail-server.j2 b/roles/re2o-service-mail/templates/cron.d/re2o-services-mail-server.j2 deleted file mode 100644 index cc35882..0000000 --- a/roles/re2o-service-mail/templates/cron.d/re2o-services-mail-server.j2 +++ /dev/null @@ -1,2 +0,0 @@ -{{ ansible_managed | comment }} -*/5 * * * * root /usr/bin/python3 /var/local/re2o-services/mail-server/main.py From d0196c8c00530f24f06953633d0d8c31a30b638b Mon Sep 17 00:00:00 2001 From: Otthorn Date: Thu, 4 Feb 2021 23:18:23 +0100 Subject: [PATCH 117/126] Postfix conf add certs and other security related modifications --- host_vars/mail.auro.re.yml | 5 +++++ roles/postfix/templates/main.cf.j2 | 31 ++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/host_vars/mail.auro.re.yml b/host_vars/mail.auro.re.yml index cc3ff9f..64da62b 100644 --- a/host_vars/mail.auro.re.yml +++ b/host_vars/mail.auro.re.yml @@ -5,6 +5,11 @@ certbot: - smtp.auro.re mail: tech.aurore@lists.crans.org certname: auro.re + cert_path_prefix = "/etc/letsencrypt/live/{{ certbot.certname }}" + cert_path_cert = "{{ cerbot.cert_path_prefix }}/cert.pem" + cert_path_chain = "{{ cerbot.cert_path_prefix }}/chain.pem" + cert_path_fullchain = "{{ cerbot.cert_path_prefix }}/fullchain.pem" + cert_path_privkey = "{{ cerbot.cert_path_prefix }}/privkey.pem" nfs: src: "10.128.0.6:/data_mail" # caradoc diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2 index 97412c2..e312caa 100644 --- a/roles/postfix/templates/main.cf.j2 +++ b/roles/postfix/templates/main.cf.j2 @@ -33,3 +33,34 @@ relay_domains = # Allow plus delimiter recipient_delimiter = + + +# Re2o Generated files +alias_database = hash:/var/local/re2o-services/mail-server/generated/aliases +alias_maps = $alias_database +local_recipient_maps = $alias_maps unix:passwd.byname +virtual_alias_maps = hash:/var/local/re2o-services/mail-server/generated/virtual +relay_recipient_maps = hash:/var/local/re2o-services/mail-server/generated/virtual + +# Tell Postfix to deliver emails to Dovecot through LMTP +virtual_transport = lmtp:unix:private/dovecot-lmtp + +# TLS for reception +smtpd_use_tls = yes +smtpd_tls_security_level = may +smtpd_tls_cert_file = {{ certbot.cert_path_fullchain }} +smtpd_tls_key_file = {{ certbot.cert_path_privkey }} +smtpd_tls_loglevel = 0 +smtpd_tls_received_header = yes + +# TLS for sending +smtp_use_tls = yes +smtp_tls_security_level = may +smtp_tls_loglevel = 1 +smtp_tls_cert_file = +smtp_tls_key_file = +smtp_tls_CApath = /etc/ssl/certs/ + +# Caching TLS sessions +smtpd_tls_session_cache_database=btree:/var/lib/postfix/smtpd_tls_session_cache +smtp_tls_session_cache_database=btree:/var/lib/postfix/smtp_tls_session_cache + From bf692f4501374897bce0ed6e970db00c962b9601 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Thu, 4 Feb 2021 23:34:53 +0100 Subject: [PATCH 118/126] Add additional role for mailserver --- roles/re2o_service_mailserver/tasks/main.yml | 15 +++++++++++++++ .../templates/cron.d/re2o-services-mail-server.j2 | 3 +++ 2 files changed, 18 insertions(+) create mode 100644 roles/re2o_service_mailserver/tasks/main.yml create mode 100644 roles/re2o_service_mailserver/templates/cron.d/re2o-services-mail-server.j2 diff --git a/roles/re2o_service_mailserver/tasks/main.yml b/roles/re2o_service_mailserver/tasks/main.yml new file mode 100644 index 0000000..cc2cce5 --- /dev/null +++ b/roles/re2o_service_mailserver/tasks/main.yml @@ -0,0 +1,15 @@ +--- +# Additional configuration for the re2o-service mailserver, you have to deploy the re2o_service first + +- name: Create generated directory + file: + path: /var/local/re2o-services/mail-server/generated + state: directory + mode: "0755" + owner: root + group: root + +- name: Deploy cron for re2o-mail-server + template: + src: cron.d/re2o-services-mail-server.j2 + dest: /etc/cron.d/re2o-services-mail-server diff --git a/roles/re2o_service_mailserver/templates/cron.d/re2o-services-mail-server.j2 b/roles/re2o_service_mailserver/templates/cron.d/re2o-services-mail-server.j2 new file mode 100644 index 0000000..a1b0231 --- /dev/null +++ b/roles/re2o_service_mailserver/templates/cron.d/re2o-services-mail-server.j2 @@ -0,0 +1,3 @@ +{{ ansible_managed | comment }} +# Regenerate Postfix configuration Re2o API every 5 minutes +*/5 * * * * root /usr/bin/python3 /var/local/re2o-services/mail-server/main.py From 391d5ce9a022f193cdae9a50439e53b7325d5fe0 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Thu, 4 Feb 2021 23:35:12 +0100 Subject: [PATCH 119/126] fix yaml syntax --- host_vars/mail.auro.re.yml | 10 +++++----- mailserver.yml | 25 +++++++++++++------------ 2 files changed, 18 insertions(+), 17 deletions(-) diff --git a/host_vars/mail.auro.re.yml b/host_vars/mail.auro.re.yml index 64da62b..289801a 100644 --- a/host_vars/mail.auro.re.yml +++ b/host_vars/mail.auro.re.yml @@ -5,11 +5,11 @@ certbot: - smtp.auro.re mail: tech.aurore@lists.crans.org certname: auro.re - cert_path_prefix = "/etc/letsencrypt/live/{{ certbot.certname }}" - cert_path_cert = "{{ cerbot.cert_path_prefix }}/cert.pem" - cert_path_chain = "{{ cerbot.cert_path_prefix }}/chain.pem" - cert_path_fullchain = "{{ cerbot.cert_path_prefix }}/fullchain.pem" - cert_path_privkey = "{{ cerbot.cert_path_prefix }}/privkey.pem" + cert_path_prefix: "/etc/letsencrypt/live/{{ certbot.certname }}" + cert_path_cert: "{{ cerbot.cert_path_prefix }}/cert.pem" + cert_path_chain: "{{ cerbot.cert_path_prefix }}/chain.pem" + cert_path_fullchain: "{{ cerbot.cert_path_prefix }}/fullchain.pem" + cert_path_privkey: "{{ cerbot.cert_path_prefix }}/privkey.pem" nfs: src: "10.128.0.6:/data_mail" # caradoc diff --git a/mailserver.yml b/mailserver.yml index f9725e7..fcabd49 100755 --- a/mailserver.yml +++ b/mailserver.yml @@ -6,8 +6,9 @@ - mail_utils - mail_certificates - nfs_client - - postfix + # - postfix - dovecot + - re2o_service_mailserver # - rspamd # - mail-fail2ban # @@ -17,14 +18,14 @@ # Deploy Re2o mail service - - hosts: mail.auro.re - vars: - service_repo: https://gitea.auro.re/aurore/re2o-mail-server.git - service_name: mail-server - service_version: aurore - service_config: - hostname: re2o-test.adm.auro.re # use test instance for now, should be changed for prod! - username: service-user - password: "{{ vault_serviceuser_passwd }}" - roles: - - re2o-service +- hosts: mail.auro.re + vars: + service_repo: https://gitea.auro.re/aurore/re2o-mail-server.git + service_name: mail-server + service_version: aurore + service_config: + hostname: re2o-test.adm.auro.re # use test instance for now, should be changed for prod! + username: service-user + password: "{{ vault_serviceuser_passwd }}" + roles: + - re2o-service From 9e6a127a8fcfccc137aa6a3bba70e0d90d188fb9 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Thu, 4 Feb 2021 23:44:32 +0100 Subject: [PATCH 120/126] Fix broken vars --- host_vars/mail.auro.re.yml | 12 +++++++----- roles/postfix/templates/main.cf.j2 | 4 ++-- roles/re2o-service/tasks/main.yml | 5 +++++ 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/host_vars/mail.auro.re.yml b/host_vars/mail.auro.re.yml index 289801a..7ff5f11 100644 --- a/host_vars/mail.auro.re.yml +++ b/host_vars/mail.auro.re.yml @@ -5,11 +5,13 @@ certbot: - smtp.auro.re mail: tech.aurore@lists.crans.org certname: auro.re - cert_path_prefix: "/etc/letsencrypt/live/{{ certbot.certname }}" - cert_path_cert: "{{ cerbot.cert_path_prefix }}/cert.pem" - cert_path_chain: "{{ cerbot.cert_path_prefix }}/chain.pem" - cert_path_fullchain: "{{ cerbot.cert_path_prefix }}/fullchain.pem" - cert_path_privkey: "{{ cerbot.cert_path_prefix }}/privkey.pem" + +cert: + path_prefix: "/etc/letsencrypt/live/{{ cerbot.certname }}" + #path_cert: "{{ path_prefix }}/cert.pem" + #path_chain: "{{ path_prefix }}/chain.pem" + path_fullchain: "{{ path_prefix }}/fullchain.pem" + path_privkey: "{{ path_prefix }}/privkey.pem" nfs: src: "10.128.0.6:/data_mail" # caradoc diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2 index e312caa..2173961 100644 --- a/roles/postfix/templates/main.cf.j2 +++ b/roles/postfix/templates/main.cf.j2 @@ -47,8 +47,8 @@ virtual_transport = lmtp:unix:private/dovecot-lmtp # TLS for reception smtpd_use_tls = yes smtpd_tls_security_level = may -smtpd_tls_cert_file = {{ certbot.cert_path_fullchain }} -smtpd_tls_key_file = {{ certbot.cert_path_privkey }} +smtpd_tls_cert_file = {{ cert.path_fullchain }} +smtpd_tls_key_file = {{ cert.path_privkey }} smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes diff --git a/roles/re2o-service/tasks/main.yml b/roles/re2o-service/tasks/main.yml index 68e963c..1f7902d 100644 --- a/roles/re2o-service/tasks/main.yml +++ b/roles/re2o-service/tasks/main.yml @@ -12,6 +12,11 @@ retries: 3 until: apt_result is succeeded +- name: "Create the local user {{ service_user }}" + user: + create_home: false + name: "{{ service_user }}" + - name: "Clone re2o {{ service_name }} project" git: repo: "{{ service_repo }}" From a2fbe9b1e6a09de4051294dc80ae21d1e3514ce5 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Fri, 5 Feb 2021 00:05:26 +0100 Subject: [PATCH 121/126] Post renewal hook for certbot to reload dovecot and postfix --- .../renewal-hooks/reload-mail-services.sh.j2 | 6 ++++++ roles/mail_certificates/tasks/main.yml | 13 +++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 roles/mail_certificates/letsencrypt/renewal-hooks/reload-mail-services.sh.j2 diff --git a/roles/mail_certificates/letsencrypt/renewal-hooks/reload-mail-services.sh.j2 b/roles/mail_certificates/letsencrypt/renewal-hooks/reload-mail-services.sh.j2 new file mode 100644 index 0000000..094fc7b --- /dev/null +++ b/roles/mail_certificates/letsencrypt/renewal-hooks/reload-mail-services.sh.j2 @@ -0,0 +1,6 @@ +#!/bin/sh +{{ ansible_manged | comment }} +# Reload Postcot and Dovecot after certificates are (re)generated + +systemctl reload postfix +systemctl reload dovecot diff --git a/roles/mail_certificates/tasks/main.yml b/roles/mail_certificates/tasks/main.yml index 2a4e30f..2ad6314 100644 --- a/roles/mail_certificates/tasks/main.yml +++ b/roles/mail_certificates/tasks/main.yml @@ -22,3 +22,16 @@ dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" mode: 0644 notify: Generate certificates + +- name: Make sure let's encrypt renewal-hooks exists + file: + path: /etc/letsencrypt/renewal-hooks/deploy + state: directory + +- name: Reload Postfix and Dovecot after certificate renewal + template: + src: letsencrypt/renewal-hooks/deploy/reload-mail-services.sh.j2 + dest: /etc/letsencrypt/renewal-hooks/deploy/reload-mail-services.sh + mode: 0755 + +# TODO: add motd From 402b2034891658ac15157b7836b34346bacbbec3 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Fri, 5 Feb 2021 00:07:36 +0100 Subject: [PATCH 122/126] move files to the right place and fix small typo --- .../renewal-hooks/deploy/reload-mail-services.sh.j2 | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 roles/mail_certificates/templates/letsencrypt/renewal-hooks/deploy/reload-mail-services.sh.j2 diff --git a/roles/mail_certificates/templates/letsencrypt/renewal-hooks/deploy/reload-mail-services.sh.j2 b/roles/mail_certificates/templates/letsencrypt/renewal-hooks/deploy/reload-mail-services.sh.j2 new file mode 100644 index 0000000..87b217f --- /dev/null +++ b/roles/mail_certificates/templates/letsencrypt/renewal-hooks/deploy/reload-mail-services.sh.j2 @@ -0,0 +1,6 @@ +#!/bin/sh +{{ ansible_managed | comment }} +# Reload Postcot and Dovecot after certificates are (re)generated + +systemctl reload postfix +systemctl reload dovecot From 5dcb7eb0d16a034106ae76d1215407d3a39695bf Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Fri, 5 Feb 2021 00:09:12 +0100 Subject: [PATCH 123/126] Remove file since I did not git mv correclty... --- .../letsencrypt/renewal-hooks/reload-mail-services.sh.j2 | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 roles/mail_certificates/letsencrypt/renewal-hooks/reload-mail-services.sh.j2 diff --git a/roles/mail_certificates/letsencrypt/renewal-hooks/reload-mail-services.sh.j2 b/roles/mail_certificates/letsencrypt/renewal-hooks/reload-mail-services.sh.j2 deleted file mode 100644 index 094fc7b..0000000 --- a/roles/mail_certificates/letsencrypt/renewal-hooks/reload-mail-services.sh.j2 +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh -{{ ansible_manged | comment }} -# Reload Postcot and Dovecot after certificates are (re)generated - -systemctl reload postfix -systemctl reload dovecot From 18ca5b48058e3dad35c70a7e716d24b942fd38c2 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Fri, 5 Feb 2021 01:17:58 +0100 Subject: [PATCH 124/126] Fix postfix cert variables --- host_vars/mail.auro.re.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/host_vars/mail.auro.re.yml b/host_vars/mail.auro.re.yml index 7ff5f11..e369fa0 100644 --- a/host_vars/mail.auro.re.yml +++ b/host_vars/mail.auro.re.yml @@ -7,11 +7,10 @@ certbot: certname: auro.re cert: - path_prefix: "/etc/letsencrypt/live/{{ cerbot.certname }}" - #path_cert: "{{ path_prefix }}/cert.pem" - #path_chain: "{{ path_prefix }}/chain.pem" - path_fullchain: "{{ path_prefix }}/fullchain.pem" - path_privkey: "{{ path_prefix }}/privkey.pem" + #path_cert: "/etc/letsencrypt/live/auro.re/cert.pem" + #path_chain: "/etc/letsencrypt/live/auro.re/chain.pem" + path_fullchain: "/etc/letsencrypt/live/auro.re/fullchain.pem" + path_privkey: "/etc/letsencrypt/live/auro.re/privkey.pem" nfs: src: "10.128.0.6:/data_mail" # caradoc From 11d5d19bb691a8784795bc0b8eb607bba36260a7 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Fri, 5 Feb 2021 01:35:46 +0100 Subject: [PATCH 125/126] Add postfix quota check --- roles/postfix/templates/main.cf.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2 index 2173961..27f243c 100644 --- a/roles/postfix/templates/main.cf.j2 +++ b/roles/postfix/templates/main.cf.j2 @@ -64,3 +64,7 @@ smtp_tls_CApath = /etc/ssl/certs/ smtpd_tls_session_cache_database=btree:/var/lib/postfix/smtpd_tls_session_cache smtp_tls_session_cache_database=btree:/var/lib/postfix/smtp_tls_session_cache +# Reject mail if user if overquota +smtpd_recipient_restrictions = + reject_unauth_destination + check_policy_service unix:private/quota-status From 4cd6a2d2c55a9aa511560539831847dafe962370 Mon Sep 17 00:00:00 2001 From: Solal Nathan Date: Fri, 5 Feb 2021 01:50:56 +0100 Subject: [PATCH 126/126] Correct typo, this one was sneaky! --- roles/dovecot/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml index 24e1b01..2b8e320 100644 --- a/roles/dovecot/tasks/main.yml +++ b/roles/dovecot/tasks/main.yml @@ -58,7 +58,7 @@ - name: Add Dovecot configuration outside of conf.d template: src: "dovecot-ldap.conf.ext.j2" - dest: "/etc/dovecot/dovecot-ldap-conf.ext" + dest: "/etc/dovecot/dovecot-ldap.conf.ext" mode: 0600 # only legible by root owner: root group: root